AUTHENTICATED 
U.S. GOVERNMENT 
INFORMATION ^ 


WHERE’S THE CIO? THE ROLE, RESPONSIBILITY 
AND CHALLENGE FOR FEDERAL CHIEF INFOR- 
MATION OFFICERS IN IT INVESTMENT OVER- 
SIGHT AND INFORMATION MANAGEMENT 


HEARING 


BEFORE THE 

SUBCOMMITTEE ON TECHNOLOGY, INFORMATION 
POLICY, INTERGOVERNMENTAL RELATIONS AND 

THE CENSUS 

OF THE 

COMMITTEE ON 
GOVERNMENT REFORM 

HOUSE OF REPRESENTATIVES 

ONE HUNDRED EIGHTH CONGRESS 

SECOND SESSION 

JULY 21, 2004 


Serial No. 108-260 


Printed for the use of the Committee on Government Reform 



Available via the World Wide Web: http://www.gpo.gov/congress/house 
http://www.house.gov/reform 


U.S. GOVERNMENT PRINTING OFFICE 
98-209 PDF WASHINGTON : 2005 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512—1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON GOVERNMENT REFORM 


TOM DAVIS, Virginia, Chairman 

DAN BURTON, Indiana 


CHRISTOPHER SHAYS, Connecticut 
ILEANA ROS-LEHTINEN, Florida 
JOHN M. MCHUGH, New York 
JOHN L. MICA, Florida 
MARK E. SOUDER, Indiana 
STEVEN C. LaTOURETTE, Ohio 
DOUG OSE, California 
RON LEWIS, Kentucky 
JO ANN DAVIS, Virginia 
TODD RUSSELL PLATTS, Pennsylvania 
CHRIS CANNON, Utah 
ADAM H. PUTNAM, Florida 
EDWARD L. SCHROCK, Virginia 
JOHN J. DUNCAN, Jr., Tennessee 
NATHAN DEAL, Georgia 
CANDICE S. MILLER, Michigan 
TIM MURPHY, Pennsylvania 
MICHAEL R. TURNER, Ohio 
JOHN R. CARTER, Texas 
MARSHA BLACKBURN, Tennessee 
PATRICK J. TIBERI, Ohio 
KATHERINE HARRIS, Florida 


HENRY A. WAXMAN, California 
TOM LANTOS, California 
MAJOR R. OWENS, New York 
EDOLPHUS TOWNS, New York 
PAUL E. KANJORSKI, Pennsylvania 
CAROLYN B. MALONEY, New York 
ELIJAH E. CUMMINGS, Maryland 
DENNIS J. KUCINICH, Ohio 
DANNY K. DAVIS, Illinois 
JOHN F. TIERNEY, Massachusetts 
WM. LACY CLAY, Missouri 
DIANE E. WATSON, California 
STEPHEN F. LYNCH, Massachusetts 
CHRIS VAN HOLLEN, Maryland 
LINDA T. SANCHEZ, California 
C.A. “DUTCH” RUPPERSBERGER, Maryland 
ELEANOR HOLMES NORTON, District of 
Columbia 

JIM COOPER, Tennessee 
BETTY McCOLLUM, Minnesota 


BERNARD SANDERS, Vermont 
(Independent) 


Melissa Wojciak, Staff Director 
David Marin, Deputy Staff Director I Communica tions Director 
Rob Borden, Parliamentarian 
Teresa Austin, Chief Clerk 
Phil Barnett, Minority Chief of Staff I Chief Counsel 

Subcommittee on Technology, Information Policy, Intergovernmental 
Relations and the Census 

ADAM H. PUTNAM, Florida, Chairman 
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri 

DOUG OSE, California STEPHEN F. LYNCH, Massachusetts 

TIM MURPHY, Pennsylvania BETTY McCOLLUM, Minnesota 

MICHAEL R. TURNER, Ohio 

Ex Officio 

TOM DAVIS, Virginia HENRY A. WAXMAN, California 

Bob Dix, Staff Director 

Dan Daily, Professional Staff Member I Deputy Counsel 
Juliana French, Clerk 

Adam Bordes, Minority Professional Staff Member 


(II) 



CONTENTS 


Page 

Hearing held on July 21, 2004 1 

Statement of: 

Brubaker, Paul, executive vice president and chief marketing officer, 

IS International; James Flyzik, partner, Guerra, Kiviat, Flyzik & Asso- 
ciates; and Debra Stouffer, vice president of strategic consulting serv- 
ices, Digitalnet 49 

Johnson, Clay, III, Deputy Director for Management, Office of Manage- 
ment and Budget; Karen Evans, Administrator, Office of E-Government 
and Information Technology, Office of Management and Budget; and 
David Powner, Director, Information Technology Management Issues, 

U.S. Government Accountability Office 8 

Nelson, Kimberly, Assistant Administrator of Environmental Information 
and Chief Information Officer, Environmental Protection Agency; Ste- 
ven Cooper, Chief Information Officer, Department of Homeland Secu- 
rity; Vance Hitch, Deputy Assistant Attorney General, Information Re- 
sources Management and Chief Information Officer, U.S. Department 
of Justice; and Ira Hobbs, Deputy Assistant Secretary for Information 


Systems and Chief Information Officer, Department of the Treasury 77 

Letters, statements, etc., submitted for the record by: 

Brubaker, Paul, executive vice president and chief marketing officer, 

IS International, prepared statement of 51 

Clay, Hon. Wm. Lacy, a Representative in Congress from the State of 

Missouri, prepared statement of 6 

Cooper, Steven, Chief Information Officer, Department of Homeland Se- 
curity, prepared statement of 90 

Evans, Karen, Administrator, Office of E-Government and Information 
Technology, Office of Management and Budget, prepared statement 

of 14 

Flyzik, James, partner, Guerra, Kiviat, Flyzik & Associates, prepared 

statement of 62 

Hitch, Vance, Deputy Assistant Attorney General, Information Resources 
Management and Chief Information Officer, U.S. Department of Jus- 
tice, prepared statement of 97 

Hobbs, Ira, Deputy Assistant Secretary for Information Systems and 
Chief Information Officer, Department of the Treasury, prepared state- 
ment of 104 

Johnson, Clay, III, Deputy Director for Management, Office of Manage- 
ment and Budget, prepared statement of 10 

Nelson, Kimberly, Assistant Administrator of Environmental Information 
and Chief Information Officer, Environmental Protection Agency, pre- 
pared statement of 80 

Powner, David, Director, Information Technology Management Issues, 

U.S. Government Accountability Office, prepared statement of 24 

Putnam, Hon. Adam H., a Representative in Congress from the State 

of Florida, prepared statement of 3 

Stouffer, Debra, vice president of strategic consulting services, Digitalnet, 
prepared statement of 67 


(III) 




WHERE’S THE CIO? THE ROLE, RESPONSIBIL- 
ITY AND CHALLENGE FOR FEDERAL CHIEF 
INFORMATION OFFICERS IN IT INVEST- 
MENT OVERSIGHT AND INFORMATION MAN- 
AGEMENT 


WEDNESDAY, JULY 21, 2004 

House of Representatives, 

Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census, 

Committee on Government Reform, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 2:40 p.m., in room 
2154, Rayburn House Office Building, Hon. Adam Putnam (chair- 
man of the subcommittee) presiding. 

Present: Representatives Putnam, Miller, Murphy, Ose, Turner, 
Clay, and Lynch. 

Staff present: John Hambel, senior counsel; Dan Daly and Shan- 
non Weinberg, professional staff members/deputy counsels; Juliana 
French, clerk; Felipe Colon, fellow; Jamie Harper, legislative assist- 
ant; Colin Samples and Sean Hardgrove, interns; Adam Bordes, mi- 
nority professional staff member; and Jean Gosa, minority assist- 
ant clerk. 

Mr. Putnam. A quorum being present, this hearing of the Sub- 
committee on Technology, Information Policy, Intergovernmental 
Relations and the Census will come to order. Good afternoon and 
welcome to the subcommittee’s hearing on “The Role, Responsibil- 
ity and Challenge for Federal Chief Information Officers and IT In- 
vestment Oversight and Information Management.” 

In 1996, Congress passed the landmark Clinger-Cohen Act, 
bringing fundamental changes to the way the Federal Government 
manages information technology. One of the most important parts 
of the act was the establishment of the Chief Information Officer 
as the position that leads agency efforts to manage IT. 

Now, 8 years after the passage of Clinger-Cohen, we must ask: 
Where is the CIO? Who do they report to? What authority do they 
have? And why is the turnover for the position so high? 

As many know, this subcommittee releases a report card on each 
agency’s implementation of the Federal Information Security Man- 
agement Act. On the last report card, the average grade was a D. 
Additionally, the scores for implementing e-government under the 
President’s management agenda, although improving, are not ter- 
ribly encouraging. 


( 1 ) 



2 


The subcommittee has held several hearings throughout this 
Congress examining the CIO’s responsibilities, including managing 
IT investment, developing agency-wide enterprise architectures, 
and implementing sound information security practices. Through- 
out these hearings, I have learned that CIOs in the Federal Gov- 
ernment are facing significant uphill challenges in meeting their 
responsibilities. 

To better understand these problems, I asked the Government 
Accountability Office to examine the role of the CIO in Federal 
agencies. As we will hear today, some of the findings, and the ques- 
tions they raise, are intriguing. For example: 

The average tenure for a Federal CIO is only 23 months, yet ex- 
perts say that a CIO needs 3 to 5 years on the job to be effective. 
CIOs often do not have control over all IT investment in an agency. 

Major bureaus may buy IT systems without going through the 
CIO, making capital planning and effective IT management all the 
more difficult. 

CIOs juggle many responsibilities and often face internal push 
back as they try to institute reforms at their agencies. 

CIOs have 13 major areas of responsibilities, from IT investment 
management to e-government to privacy. And with time and new 
laws, the role is sure to expand. 

Finally, Clinger-Cohen requires that CIOs at the largest depart- 
ment and agencies report directly to the agency head, but this is 
not always the case. 

In an increasingly networked world, the Government has become 
more dependent on information technology to deliver its services. 
Federal agencies cannot operate efficiently without solid leadership 
from a CIO that is supported by the top officials in the agency. 

I look forward to hearing from our panels of experts on this topic, 
including the administration’s leadership in information tech- 
nology, as well as former and current CIOs, to see what this sub- 
committee and this Congress can do to improve the situation. 

I welcome all the witnesses. 

[The prepared statement of Hon. Adam H. Putnam follows:] 



3 



ONE HUNDRED EiGHTH CONGRESS 

Congress of the tJnitet) States 

llouse of Ecpresentatibes; 

COMMITTEE ON GOVERNMENT REFORM 
2157 Rayburn House Office Building 
Washington, DC 20515-6143 

Mojo no* 0a )22V90M 
<2021 JSS-505I 

www.housc.gov/relomi 



BRHNABO SANCK AS. VERMONT. 
■NDEPENOCHr 


Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census 

Congressman Adam Putnam, Chairman 



OVERSIGHT HEARING 

STATEMENT BY ADAM PUTNAM, CHAIRMAN 

Hearing topic: “Where’s the CIO? The Role, Responsibility and Challenge for 
Federal Chief Information Officers in IT Investment Oversight 
and Information Management” 

Wednesday, July 21, 2004 
1:30 p.m. 

Room 2154, Rayburn House Office Building 

OPENING STATEMENT 


Good afternoon and welcome to the Subcommittee’s hearing on “The Role, 
Responsibility, and Challenge for Federal Chief Information Officers in IT Investment Oversight 
and Information Management.” 

In 1996, Congress passed the landmark Clinger-Cohen Act, bringing fundamental 
changes to the way the federal government manages information technology. One of the most 
important parts of the Act was the establishment of the Chief Information Officer as the position 
that leads agency efforts to manage information technology. 

Now, 8 years after the passage of Clinger-Cohen, we must ask: Where is the CIO? Who 
do they report to? What authority do they have? Why is the turnover for the CIO position so 
high? 



4 


As many know, this Subcommittee releases a report card on each agency’s 
implementation of the Federal Information Security Management Act. On the last report card, 
the average grade was a “D.” Additionally, the scores for implementing e-government under the 
President’s Management Agenda, although improving, are not encouraging. 

The Subcommittee has held several hearings throughout this Congress examining the 
CIO’s responsibilities, including managing IT investment, developing agency-wide enterprise 
architectures, and implementing sound information security practices. Throughout these 
hearings, I have learned that CIOs in the federal government are facing significant uphill battles 
in meeting their responsibilities. 

To better understand these problems, I asked the Government Accountability Office to 
examine the role of the CIO in federal agencies. As we will hear today, some of the findings - 
and the questions they raise - are intriguing. For example: 

The average tenure for a federal CIO is only 23 months, yet experts say that a CIO needs 
3-5 years on the job to be effective. 

CIOs often do not have control over all TT investment in an agency. Major bureaus may 
buy IT systems without going through the CIO, making capital planning and effective IT 
management all the more difficult. 

CIOs juggle many responsibilities and often times face internal push back as they try to 
institute reforms at their agencies. 

Federal CIOs have 13 major areas of responsibility - from IT investment management to 
e-government to privacy. And with time and new laws, the role of the CIO is expanding. 

Finally, Clinger-Cohen requires that CIOs at the largest departments and agencies report 
directly to the agency head but this is not always the case. 

In an increasingly networked world, the government has become more dependent on 
information technology to deliver its services. Federal agencies cannot operate efficiently and 
effectively without solid leadership from a CIO that is supported by the very top officials in the 
agency. 


I look forward to hearing from our panels of experts on this topic, including the 
Administration’s leadership on information technology, as well as former and current CIOs, to 
see what this committee and this Congress can do to improve this situation. 

I welcome all of the witnesses. 


tttt tt ft titt 



5 


Mr. Putnam. As is the case with all of our hearings, it is being 
Webcast and can be viewed by going to reform.house.gov and 
clicking on multimedia. 

I would like to recognize the distinguished Member from Mis- 
souri, the gentleman, Mr. Clay, for any opening remarks that he 
may wish to have. 

Thank you. 

Mr. Clay. Thank you, Mr. Chairman, and I thank the witnesses 
for taking their time to be with us today. 

I consider today’s hearing an opportunity to extend the dialog 
our subcommittee established in March, when several of today’s 
witnesses testified about the strengths and weaknesses of IT over- 
sight within the CIO community. Since the Federal Government 
will spend approximately $60 billion on IT in fiscal year 2004, we 
must strive to utilize the best practices for implementation and 
oversight of our Government’s investments. 

According to GAO’s testimony, the CIO community is facing chal- 
lenges due to limited resources, a strained IT work force, and the 
inconsistent delegation of IT management duties among non-CIO 
personnel. Further, the lack of tenure among CIOs is hindering 
agencies from achieving their long-term IT management goals and 
objectives. Such factors tell us why agencies rarely meet their full 
potential with regard to strategic planning, IT investment manage- 
ment, and work force training and development. 

At the heart of the matter are two issues. First, with an average 
CIO tenure of 23 months, we must promote mechanisms to ensure 
that long-term strategic planning and implementation does not 
cease due to limited tenures among those who serve. Second, I be- 
lieve we ought to examine the issue of statutorily authorized CIO 
responsibilities that are being delegated to non-CIO personnel. Per- 
haps these problems stem from the lack of tenure among CIOs, 
human capital deficiencies, or inadequate agency planning. Never- 
theless, it is our responsibility to identify the root cause of these 
problems and seek out appropriate remedies. 

Thank you, Mr. Chairman, and I ask unanimous consent that the 
full text of my remarks be included in the record. 

Mr. Putnam. Without objection. 

[The prepared statement of Hon. Wm. Lacy Clay follows:] 



6 


STATEMENT OF THE HONORABLE WM. LACY CLAY 
ROLE OF THE FEDERAL CIO 
JULY 21,2004 

Thank you Mr. Chairman, and 1 thank the witnesses 
for taking their time to be with us today. 

I consider today’s hearing an opportunity to extend 
the dialogue our subcommittee established in March 
when several of today’s witnesses testified about the 
strengths and weaknesses of IT oversight within the 
CIO community. Since the federal government will 
spend approximately $60 billion on IT in fiscal year 
2004, we must strive to utilize the best practices for 
implementation and oversight of our government’s 
investments. 

According to GAO’s testimony, the CIO 
community is facing challenges due to limited 
resources, a strained IT workforce, and the inconsistent 
delegation of IT management duties among non-CIO 
personnel. Further, the lack of tenure among CIOs is 
hindering agencies from achieving their long-term IT 
management goals and objectives. Such factors tell us 
why agencies rarely meet their full potential with regard 
to strategic planning, IT investment management, and 
workforce training and development. 

At the heart of the matter are two issues. First, 
with an average CIO tenure of 23 months, we must 
promote mechanisms to ensure that long-term strategic 



7 


planning and implementation does not cease due to 
limited tenures among those who serve. Second, 1 
believe we ought to examine the issue of statutorily 
authorized CIO responsibilities that are being 
delegated to non-CIO personnel. Perhaps these 
problems stem from the lack of tenure among CIOs, 
human capitol deficiencies, or inadequate agency 
planning. Nevertheless, it is our responsibility to 
identify the root cause of these problems and seek out 
appropriate remedies. 

Thank you, Mr. Chairman, and I ask unanimous 
consent that the full text of my remarks be included in 
the record. 



8 


Mr. Putnam. With that, I would ask the first panel and anyone 
accompanying you who will be answering your questions to please 
rise for the administration of the oath. 

[Witnesses sworn.] 

Mr. Putnam. Note for the record that all the witnesses re- 
sponded in the affirmative, and we will move directly into testi- 
mony. 

Our first witness is Mr. Clay Johnson. We are very appreciative 
of the time that he has made to be before this subcommittee. Mr. 
Johnson is Deputy Director for Management at the Office of Man- 
agement and Budget, where he provides governmentwide leader- 
ship to executive branch agencies to improve agency and program 
performance. Before that he was Assistant to the President for Per- 
sonnel, responsible for the organization that identifies and recruits 
4,000 Government officials. He received his undergraduate degree 
from Yale and a master’s from MIT’s Sloane School of Manage- 
ment. 

Welcome to the subcommittee, and we look forward to your testi- 
mony. You are recognized. 

STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR 

MANAGEMENT, OFFICE OF MANAGEMENT AND BUDGET; 

KAREN EVANS, ADMINISTRATOR, OFFICE OF E-GOVERN- 

MENT AND INFORMATION TECHNOLOGY, OFFICE OF MAN- 
AGEMENT AND BUDGET; AND DAVID POWNER, DIRECTOR, 

INFORMATION TECHNOLOGY MANAGEMENT ISSUES, U.S. 

GOVERNMENT ACCOUNTABILITY OFFICE 

Mr. Johnson. Mr. Chairman, Ranking Member Clay, thank you 
for having me here today. I bet that I am going to refer you to 
Karen Evans for a lot of your questions, but let me give you my 
general comments and a general view of IT and e-government in 
the CIO world. 

As you mentioned, Ranking Member Clay, we spend almost $60 
billion a year on IT, more than anybody else in the world. We 
ought to be nearly the best at it, and we are not, and we share that 
goal. We need to figure out what we need to do to make sure that 
we are the best at IT since this is a goal we share. 

Something that the Federal Government does a lot of is sending 
information to people and receiving information from people; we 
send them money, they send us money. A lot of information and 
money changes hands. We take large amounts of information and 
we try to make sense of it for intelligence purposes; we take a lot 
of information and put it in the hands of Federal managers so that 
they can manage programs and costs more effectively. We move a 
lot of information around, and it costs us $60 billion a year to do 
that. 

The CIO is the person in the agency who is responsible for mak- 
ing sure that money is being spent most intelligently, and that the 
IT operations are producing the functionality that we intended 
when you all authorized and appropriated the money consequently, 
the CIO is extremely important. 

Relative to a couple of questions that have been asked and sug- 
gested here, I personally do not believe that the CIO needs to re- 
port to the Secretary of the department. The CIO needs to work for 



9 


somebody who can help him or her be successful, and that is typi- 
cally not the Secretary. The CIO is plenty important in an organi- 
zation without having to report to the Secretary. I think the CIO 
ought to report to the senior management person in an organiza- 
tion. At Homeland Security, for instance, that is Under Secretary 
for Management, Janet Hale, who works most closely with Jim 
Loy. In a lot of agencies, it is the Deputy Secretary. To me, working 
for the Secretary is not the issue; it is working with somebody who 
is most involved in how the department is managed. 

And I think in terms of the primary responsibility that a CIO 
has, that the CIO in an organization does a whole lot. I think the 
CIO’s primary responsibility is to make sure that it is very, very, 
very clear what a new IT project or an old IT project is supposed 
to accomplish and what the desired functionality is. Usually, is the 
bigger the project, the more disastrous it is or the more telling it 
is. Oftentimes, we will get in the middle of the development of new 
IT projects, and it is not clear what it is we are trying to accom- 
plish, and then the problems begin. And the CIO, in my mind, is 
the regulator, the person at the agency that can assure that does 
not happen. Additionally, the CIO ensures that the program man- 
agers cannot spend IT funds unless the disciplines are in place, 
and it is really clear what we are supposed to be accomplishing, at 
what cost, for whom, and by when. And that is the primary role, 
in my opinion, from a 20,000 foot view, for a CIO. There are other 
responsibilities as well, but I think our discussion here should be 
what does the CIO need to have to make sure he or she can per- 
form that role most effectively. 

[The prepared statement of Mr. Johnson follows:] 



10 



EXECUTIVE OFFICE OF THE PRESIDENT 


OFFICE OF MANAGEMENT AND BUDGET 

WASHINGTON, D.C, 20S03 


STATEMENT OF THE HONORABLE CLAY JOHNSON HI 
DEPUTY DIRECTOR FOR MANAGEMENT 
OFFICE OF MANAGEMENT AND BUDGET 


BEFORE THE COMMITTEE ON GOVERNMENT REFORM 
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, 
INTERGOVERNMENTAL RELATIONS, AND THE CENSUS 
U.S. HOUSE OF REPRESENTATIVES 

July 21, 2004 

Good afternoon, Mr. Chairman, Ranking Member Clay, and Members of the 
Committee. Thank you for inviting me to speak about role of an agency Chief 
Information Officer. I have the opportunity to work closely with Federal CIOs, 
primarily through Karen Evans, the head of OMB’s office of E-gov/Information 
Technology. 


CIOs are critical to the success of their departments and agencies. The CIO is an 
agency’s manager of information resources. In this capacity, he or she is a strategic 
advisor to the Secretary and Deputy Secretary about how IT investments and 
activities can be used to improve service levels and program efficiency and 



11 


effectiveness. The CIO ensures that service, performance and cost goals are 
clearly defined and the focus for each IT project and activity. Additionally the 
CIO ensures that our systems are secure, our citizen’s personal information is 
protected, and IT projects are delivered on time and on budget (with particular 
attention to be paid to large projects). Another important CIO role is reducing the 
amount of burdensome paperwork created by the Federal government. 

CIOs must be results-oriented and focused on performance, not outputs. To be 
most effective, the CIO should work most with and be responsible to the 
Department’s top management person, which in most cases is the Deputy 
Secretary. The CIO needs to be personable, broad and strategic enough to form 
strong partnerships with Agency, financial, procurement, and real property 
leadership. Also the CIO should be a proven people and project manager. 

Finally, the CIO must keep pace with rapidly changing technology and the need to 
integrate all areas of agency service delivery (paper, phone, web, office visits). 

Departments and agencies are increasingly deploying information technologies to 
serve and assist citizens, taxpayers, and Federal managers and employees, more 
accurately, quickly and efficiently. We spend more money on IT than any other 
organization in the world; so we should aspire to be the best at it. Our success in 
this area starts with and depends most on the capabilities of our CIOs. 



12 


Mr. Putnam. Thank you, Mr. Johnson. 

Our next witness, our most frequent witness, is Ms. Karen 
Evans. Ms. Evans was appointed by President Bush to be the Ad- 
ministrator of the Office of Electronic Government and Information 
Technology at the Office of Management and Budget. Ms. Evans is 
a 20-year veteran of the Federal Government. Before joining OMB, 
she was Chief Information Officer at the Department of Energy 
and served as vice chairman of the CIO Council. Previously, she 
served at the Department of Justice as Assistant and Division Di- 
rector for Information System Management. 

Welcome again. You are recognized. 

Ms. Evans. Good afternoon, Mr. Chairman and Ranking Member 
Clay. Thank you for inviting me to speak about the critical role 
that chief information officers play in driving increased agency per- 
formance, achieving results, and serving our citizens. 

In fiscal year 2005, the Federal Government will spend $60 bil- 
lion on information technology. This afternoon I will outline the vi- 
sion, strategy, and tools the Office of Management and Budget and 
the Federal CIO Council have developed to enable CIOs to be more 
successful. 

Eight years ago Congress passed the Clinger-Cohen Act, creating 
the position of CIO and elevating them to senior management 
rank. Throughout the last 8 years, but especially under the focused 
attention of the President’s management agenda and as a result of 
the E-Government Act of 2002, CIOs have taken on new and ex- 
pansive responsibilities. 

To be most effective, the CIO should work most with and be re- 
sponsible to the department’s top management person, which in 
most cases, as previously stated, is the deputy secretary. Without 
a high performing and capable CIO, an agency will not be able to 
fully achieve the goals of the President, Congress, and the Amer- 
ican people. 

As for my role, the OMB’s Office of E-Government and Informa- 
tion Technology is statutorily responsible for managing Federal 
Government information technology and policy. 

Throughout the past few years, we have implemented a series of 
tools to support Federal CIOs. 

First, we are empowering CIOs to drive business and technology 
change through the President’s management agenda scorecard. 
Supported by their secretary and deputy secretary, agency CIOs 
use the scorecard to manage agency performance. 

Second, we are driving accountability and responsibility to agen- 
cy bureaus and program offices by requiring agencies to score and 
remediate their exhibit 300 IT business cases before submission to 
OMB. Also, we are requiring a closer alignment between the 300’s 
and the Program Assessment Rating Tool, or the PART, to assist 
the CIO in ensuring that IT investments enhance and compliment 
the overall objective of a particular program. 

Third, we are positioning CIOs to play a key part in the long- 
term success of their agency through our investment in enterprise 
architecture. Developing their enterprise architecture, CIOs iden- 
tify IT investments and develop a blueprint for the future, includ- 
ing detailed transition plans. Enterprise architecture, supported by 



13 


budget and related data, is bringing greater rigor and stronger de- 
cisionmaking to information resource management. 

Fourth, we are enabling CIOs to provide leadership for IT invest- 
ment performance by setting cost, schedule and performance re- 
quirements. Agencies are required to use the same standard used 
in industry. This will result in tighter management and increased 
investment responsibility by the immediate IT project manager and 
CIO. 

Fifth, we are providing CIOs with the ability to realize consider- 
able cost savings for their agencies through acquisition activities 
such as the SmartBuy program. This allows dollars to be invested 
in providing better services and stronger results for core mission 
responsibilities. 

In addition to OMB, the Federal CIO Council plays a critical role 
in supporting CIOs in fulfilling their obligation to serve their fellow 
Americans, identify new governmentwide solutions, and ensure 
their agency strategic goals are achieved. The Council is successful 
because it exemplifies a critical e-government principle: encourag- 
ing cooperation and sharing of ideas and resources. 

The Council is led by OMB Deputy Director for Management, di- 
rected by myself, and vice-chaired by Dan Matthews, the CIO at 
the Department of Transportation. The Council membership con- 
sists of agency CIOs who chair committees focused on critical 
issues before the Federal IT community. In consultation with OMB, 
these committees are developing the tools to assist their fellow 
CIOs and agency IT employees, including the CIO strategic plan 
and the most recent recommendations on IT work force project 
management qualifications. 

While the necessary tools are in place, the road ahead for Fed- 
eral CIOs is not without its challenges. To realize the vision of the 
President’s management agenda and the E-Government Act of 
2002, CIOs must provide leadership to achieve their e-government 
migration milestones. In this, cross-agency collaboration is critical, 
both within an agency and across agencies. We need to continue to 
work in partnership with Congress, industry, and State and local 
governments. 

In conclusion, the administration will continue to work with 
agency heads, CIOs, and the CIO Council to empower CIOs to 
achieve results and transform our Federal Government into a more 
citizen service organization. 

We look forward to continued work with the committee on this 
matter, and I would be pleased to take questions at the appropriate 
time. 

[The prepared statement of Ms. Evans follows:] 



14 


STATEMENT OF THE HONORABLE KAREN EVANS 
ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND 
INFORMATION TECHNOLOGY 
OFFICE OF MANAGEMENT AND BUDGET 

BEFORE THE COMMITTEE ON GOVERNMENT REFORM 
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, 
INTERGOVERNMENTAL RELATIONS, AND THE CENSUS 
U.S. HOUSE OF REPRESENTATIVES 

July 21,2004 


Good afternoon, Mr. Chairman, Ranking Member Clay, and Members of the 
Committee. Thank you for inviting me to speak about the critical role Chief 
Information Officers (CIO) play in driving increased agency performance, 
achieving results and serving our citizens. 

In fiscal year 2005, the Federal government will spend $60 billion on information 
technology (IT). This afternoon I will outline the vision, strategy and tools the 



15 


Office of Management and Budget (OMB) and the Federal CIO Council have 
developed to enable CIOs to be more successful. 

Eight years ago Congress passed the Clinger-Cohen Act creating the position of 
CIO and elevating them to senior management rank. Throughout the last eight 
years, but especially under the focused attention of President George W. Bush’s 
Management Agenda and as a result of the E-Govemment Act of 2002, CIOs have 
taken on new and expansive responsibilities. 

To set the stage, an effective CIO is a strategic thinker and a coordinator, not a 
technical implementer. They are also a service provider working across the agency 
to use IT to resolve business problems. I like to think of a CIO as the agency’s 
orchestra conductor of information resources and technology. They possess the 
necessary technical skills to play “first violin,” however their role is to oversee and 
coordinate the vast infonnation resources within an agency. 

To be most effective, the CIO should work most with and be responsible to the 
Department’s top management person, which in most cases is the Deputy 
Secretary. Their responsibilities are wide and deep. Without a high performing 



16 


and capable CIO, an agency will not be able to fully achieve the goals the 
President, Congress and the American people demand. 

The OMB Office of E-government and Information Technology is statutorily 
responsible for managing Federal government information technology and policy. 
As such, we provide guidance, consult, and support agency CIOs on a daily basis. 

Office of Management and Budget 

Throughout the past few years, we have developed a set of tools to enhance the 
role of a chief information officer, and put these tools to work. Here are five 
examples. 

First, we are empowering CIOs to drive business and technology change through 
the President’s Management Agenda scorecard. Supported by their Secretary and 
Deputy Secretary, agency CIOs use the scorecard to manage agency IT investment 
performance, expand the enterprise architecture, foster e-govemment cooperation, 
develop sound business cases, and drive compliance with the Federal Information 
Security Management Act. In fact, CIOs are working with agency program, 
contracting and financial management officials and are using the scorecard as a 
tool to drive e-govemment accountability and leadership responsibility. In previous 



17 


testimony before this committee, we have identified the need for strong 
management leadership to achieve IT reform and robust cyber security protection. 
The scorecard is a helpful tool in achieving results in all of these areas. 

Second, we are driving accountability and responsibility to agency bureaus and 
program offices by requiring agencies to score their FY06 exhibit 300 IT business 
cases before submission to OMB. Cases which fail agency internal scoring must be 
remediated before being submitted to OMB. Also, we are requiring a closer 
alignment between the exhibit 300s and the Program Assessment Rating Tool (or 
PART) to assist the CIO in ensuring the IT investments enhance and complement 
the overall objective of the particular program. Each year OMB receives a 
significant number of low quality exhibit 300s. This new requirement will enable 
the agencies to provide high quality budget submissions and drive greater 
accountability and responsibility for IT management. 

Third, we are positioning CIOs to play a key part in the long-term success of their 
agency through our investment in Enterprise Architecture. Developing their 
enterprise architecture, CIOs identify IT investments and develop a blueprint for 
the future including a detailed transition plan. Enterprise architecture, supported by 
budget and related data, is bringing greater rigor and stronger decision making to 



18 


information resource management. Three years ago, the principles of the 24 
Presidential E-Govemment Initiatives were the foundation for the building of the 
Federal Enterprise Architecture, and today the five lines of business task forces are 
identifying cost savings and technology solutions through analysis of enterprise 
architecture data. Architecture is one tool which enables CIOs to develop common 
agency and government-wide solutions. 

Fourth, we are enabling CIOs to provide leadership for IT investment performance 
by setting cost, schedule and performance requirements. Program offices which are 
required to monitor these quantitative indicators cannot wait until the CIO reviews 
to determine if the project is off target. Instead, the requirement agency’s use the 
same standard used in industry to monitor cost, schedule, and performance will 
result in tighter management and increased investment responsibility by the 
immediate IT project manager and CIO. 

Fifth, we are providing CIOs with the ability to realize considerable cost savings 
for their agencies through acquisition activities such as the SmartBuy program. 
This allows dollars to be invested in providing better services and stronger results 
for core mission responsibilities. SmartBuy is changing the concept of the Federal 
IT “enterprise.” For many decades, the “enterprise” was an ad-hoc collection of 



19 


agency bureaus, program offices and field operations. Over time, SmartBuy and 
other acquisition activities are redefining the enterprise as the one Federal 
government and driving cost savings and avoidance. Agency CIOs are using 
Smartbuy offerings to drive significant cost savings for agencies without loss of 
quality. 

The Federal CIO Council 

In addition to OMB, the Federal CIO Council plays a critical role in supporting 
CIOs in fulfilling their obligation to serve their fellow Americans, identify new 
government-wide solutions and ensure their agency strategic goals are achieved. 
The Council is successful because it exemplifies a critical e-govemment principle 
- business goals and results can be achieved by breaking down silos of thought and 
encouraging cooperation and sharing of ideas and resources. 

The Council is led by the OMB Deputy Director of Management, directed by 
myself and Vice-chaired by Dan Matthews, CIO at the Department of 
Transportation. The Council membership consists of agency CIO’s who chair 
committees focused on critical issues before the Federal IT community: Best 
Practices, Workforce & Human Capital, Governance, and Architecture & 
Infrastructure. In consultation with OMB, these committees are developing the 



20 


tools to assist their fellow CIO’s and agency IT employees. Today I would like to 
highlight two examples. 

The council adopted a strategic plan for 2004, which sets results-orientated goals 
for agency CIOs focused on cost savings, strategic IT management and project 
management. 

The council has also collaborated to ensure our IT workforce is qualified, trained, 
and prepared to manage projects and integrate existing and emerging technologies 
and to meet the requirements in the Clinger Cohen Act. Ira Hobbs, CIO of the 
Department of Treasury, and Janet Barnes, CIO of the Office of Personnel 
Management, released guidance on IT workforce project manager qualifications 
for use by agency CIOs. This is one of the many products and tools this committee 
has developed. 

Challenges Ahead 

While the necessary tools are in place, the road ahead for Federal CIOs is not 
without its challenges. To realize the vision of the President’s Management 
Agenda and the E-Govemment Act of 2002, CIOs must provide leadership to 
achieve their e-govemment migration milestones. In this, cross-agency 



21 


collaboration is critical, both within an agency and across agencies. We need to 
continue to work in partnership with the Congress, industry and state and local 
governments. 

Conclusion 

In conclusion, the Administration will continue to work with agency heads, CIOs 
and the CIO Council to empower CIOs to achieve results and transform our 
Federal government into a more citizen-centered organization. 

We look forward to continued work with the committee on this matter and I would 
be pleased to take questions at the appropriate time. 



22 


Mr. Putnam. Thank you, Ms. Evans. 

Our third witness for this panel is David Powner. Dave Powner 
is responsible for a large segment of GAO’s information technology 
work, including systems development and IT investment manage- 
ment reviews. He has over 15 years of public and private informa- 
tion technology-related experience. In the private sector, he had 
several positions with Quest Communications, including director of 
internal audits, responsible for information technology and finan- 
cial audits, and director of information technology, responsible for 
Quest digital subscriber lines software development efforts. 

He has an undergraduate degree from the University of Denver 
and a graduate’s degree from Harvard. 

Welcome to the subcommittee. You are recognized for 5 minutes. 

Mr. Powner. Thank you, Mr. Chairman, Ranking Member Clay. 
We appreciate the opportunity to testify on the report we are re- 
leasing today on Federal CIOs. We have long been proponents of 
having strong agency CIOs to lead technology solutions that im- 
prove program performance. 

Eight years ago the Clinger-Cohen Act first required agency 
heads to designate CIOs. Effective CIOs can make significant dif- 
ferences in building the capabilities needed to implement improve- 
ments in the management of the billions spent annually on IT. 

This afternoon I will discuss CIO responsibilities and reporting 
relationships, tenure, and major challenges. I will also discuss ac- 
tions to address our findings. 

First, CIO responsibilities and reporting relationships. As this 
chart to your left, Mr. Chairman, illustrates, the 27 major depart- 
ments and agency CIOs are generally responsible for most of the 
13 key areas required by statute on critical to effective information 
and technology management. Not surprising, all 27 CIOs reported 
that they are responsible for areas such as capital planning and in- 
vestment management, enterprise architecture, and information se- 
curity. 

However, not all CIOs are responsible for each of the areas called 
for in law, and views were mixed as to whether it is important for 
CIOs to have responsibilities for each of these areas. A significant 
number of CIOs who do not hold these responsibilities believe that 
it did not present a problem because other organizational units 
were appropriately assigned these duties. A few former CIOs told 
us that some of these areas were distractions from CIOs’ primary 
responsibilities. 

Regarding reporting relationships, 19 of the 27 CIOs told us that 
they report to the agency head as required by law. Consistent with 
Mr. Johnson’s comments, views were mixed as to whether it is im- 
portant for the CIO to report to the agency head. Some stated that 
a direct reporting relationship was crucial, especially when influ- 
encing budgets and policy decisions. Others stated that organiza- 
tional placement was not as important as credibility and relation- 
ships with other key executives. 

Next, regarding CIO tenure since Clinger-Cohen was enacted. 
The median tenure of agencies’ permanent CIOs is just less than 
2 years, or 23 months. Career ClOs, on average, stayed longer than 
political appointees. Nevertheless, in either case CIOs are staying 
less than the 3 to 5 years that was most commonly cited by both 



23 


current and former CIOs as the time needed for a CIO to be effec- 
tive. 

Since 1996, only about a third of the permanent CIOs who had 
completed their time in office stayed 3 years or more. Among rea- 
sons cited for high turnover were the political environment, pay dif- 
ferentials with the private sector, and the significant challenges 
CIOs face. Too short a tenure can reduce the CIO’s effectiveness 
and ability to address the major challenges cited. These challenges 
included implementing effective IT governance practices, obtaining 
sufficient and relevant resources, and communicating and collabo- 
rating within the agency and with external partners. 

Congress and agencies can take actions to address these findings. 
With respect to Congress, hearings such as this, Mr. Chairman, 
help to raise the issues and suggest solutions. To further assist you 
in your oversight role, as requested, we are beginning work on pri- 
vate sector CIO responsibilities and best practices to complement 
the report we are releasing today. 

Agencies too can take actions to address the high turnover rate 
and challenges cited. Specifically, human capital flexibilities such 
as recruiting bonuses, retention allowances, and critical position 
pay authority may help to attract and retain qualified candidates. 

Regarding the major challenge of implementing effective govern- 
ance practices, GAO and others have issued guides to assist agen- 
cies in institutionalizing sound governance such as our IT invest- 
ment management framework. 

In summary, not all CIOs are responsible for the areas called for 
in law, nor do they all report to the agency head. In addition, most 
CIOs do not stay in office for the 3 to 5 years recommended. Given 
the many challenges facing CIOs, having laws that focus on the 
most effective assignment of responsibilities, flexibilities to lessen 
turnover, and governance practices to effectively manage critical 
areas will be essential. 

This concludes my statement, Mr. Chairman. I would be pleased 
to respond to any questions that you have at this time. 

[The prepared statement of Mr. Powner follows:] 



24 


GAO 

United States Government Accountability Office 

Testimony 

Before the Subcommittee on Technology, 
Information Policy, Intergovernmental 
Relations and the Census, House 
Committee on Government Reform 

For Release on Delivery 

Expected at 2:00 p.m. EDT 
Wednesday, July 21, 2004 

INFORMATION AND 

TECHNOLOGY 

MANAGEMENT 


Responsibilities, Reporting 
Relationships, Tenure, and 
Challenges of Agency Chief 
Information Officers 


Statement of David A. Powner, 

Director, Information Technology 

Management Issues 


A G A 0 

^■■■■■■■■■■^ Accountability * Integrity * Reliability 


GAO-04-957T 




25 


i 

IGA 

AccounlatUHtyinlegrity. RrllnbHiiy 

Highlights 

Highlights of GAO-04-957T, testimony 
before the Subcommittee on Technology. 
Information Policy. Intergovernmental 
Relations and the Census, Committee on 
Government Reform, House of 
Representatives 

Why GAO Did This Study 

Federal agencies rely extensively 
on information technology (IT) to 
effectively implement major 
government programs. To help 
agencies manage their substantial 
IT investments, the Congress has 
established a statutory framework 
of requirements, roles, and 
responsibilities relating to IT 
management. 

GAO was asked to summarize its 
report, being issued today, on 
federal chief information officers' 
(CIO) responsibilities, reporting 
relationships, and tenure and on 
the challenges that CIOs face 
(Federal Chief Information 
Officers: Responsibilities, 
Reporting Relationships, Tenure, 
and Challenges, GAO-04-823, July 
21, 2004) and to offer suggestions 
for actions that both the Congress 
and the agencies can take in 
response to these findings. 


www.gao.gov/cgi-bin/getrptTGAO-04-957T. 

To view the full product, including the scope 
and methodology, click on the link above. 
For more information, contact David A. 
Powner at 202-51 2-9286 or 
pownerd @ gao.gov. 


INFORMATION AND TECHNOLOGY 
MANAGEMENT 

Responsibilities, Reporting 
Relationships, Tenure, and Challenges of 
Agency Chief Information Officers 


What GAO Found 

In looking at 27 agencies, GAO found that CIOs generally were responsible 
for most of the 13 areas that had been identified as either required by statute 
or critical to effective information and technology management (see figure 
below) and that about 70 percent reported directly to their agency heads. 
Among current CIOs and former agency IT executives, views were mixed on 
whether it was important for the CIO to have responsibility for each of the 
13 areas and a direct reporting relationship with the agency head. In 
addition, current CIOs come from a wide variety of professional and 
educational backgrounds and, since the enactment of the legislation 
establishing this position, the permanent CIOs who had completed their 
time in office had a median tenure of about 2 years. This time in office, 
however, was less than the 3 to 5 years that both current CIOs and former 
agency IT executives most commonly cited as the amount of time needed for 
a CIO to be effective. Too short of a tenure can reduce a CIOs’ effectiveness 
and ability to address major challenges, including implementing effective IT 
management and obtaining sufficient and relevant resources. 

Both the Congress and the federal agencies can take various actions to 
address GAO’s findings. First, as the Congress holds hearings on and 
introduces legislation related to information and technology management, 
there may be an opportunity to consider the results of this review and 
whether the existing statutory framework offers the most effective structure 
for CIOs’ responsibilities and reporting relationships. Second, agencies can 
use the guidance GAO has issued over the past few years to address, for 
example, agencies’ IT management and human capital challenges. Finally, 
agencies can also employ such mechanisms as human capital flexibilities to 
help reduce CIO turnover or to mitigate its effect. 


Number of CIOs with Responsibility for Information Technology Management Areas 


Capital planning and investment management 27 

Enterprise architecture 27 

Information security BBBBBBBBBBBBBBBB 27 
IT/lRM strategic pfenning ■^■BBHBBBBBB^^^^BBB 27 
IT/IRM workforce planning BBBBBBBBBBBBBBBBI 27 
Major e-gov initiatives BHBBHBIBBBBBBI^^^B 25 
Systems acquisition, development and integration ■■■■■■■■■■■■■ 2-. 


Information dissemination I 

Information disdosurefFreedom of information ■ 
Statistical policy and coordination I 


30 

CIOs 


Source; Agency CIO*. 


26 


Mr. Chairman and Members of the Subcommittee: 

Thank you for the opportunity to join in today’s hearing on federal agency 
chief information officers (CIO). Our work and the work of others have 
shown that the federal government has had long-standing information and 
technology management problems. Various laws have been enacted to 
improve the government’s performance in this area. For example, the 
Clinger-Cohen Act of 1996 requires agency heads to designate CIOs to lead 
reforms to help control system development risks, better manage 
technology spending, and achieve real, measurable improvements in 
agency performance through better management of information resources. 

At your request, I will summarize our report 1 being issued today that 
focuses on the status of federal CIOs, including their responsibilities and 
reporting relationships, professional backgrounds and tenure, and what 
they viewed as their major challenges. In addition, I will discuss what can 
be done to address our findings. In performing our work at 27 major 
federal departments and agencies (23 entities identified in 31 United States 
Code 901, 2 the Department of Homeland Security, and the 3 military 
services), 3 we initially collected information using a data collection 
instrument and subsequently interviewed each of the CIOs who were in 
place at the time of our review. We also conducted two panel discussions 
with former agency information technology (IT) executives, including 
former CIOs, that addressed their experiences and challenges, and we held 
a series of discussions with our Executive Council on Information 
Management and Technology, which is composed of noted IT experts from 
the public and private sectors and from academia. The work on which this 


l U.S. Genera] Accounting Office, Federal Chief In formation Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges, GAO-04-823 (Washington, D.C.: July 21, 
2004). 

This section of the U. S. C. requires 24 departments and agencies to establish chief 
financial officers. We did not include the Federal Emergency Management Agency in our 
review, even though it is one of the 24 departments and agencies, because this agency has 
been transferred to the Department of Homeland Security. 

The 27 agencies covered by our report are the Departments of Agriculture, the Air Force, 
the Army, Commerce, Defense, Education, Energy, Health and Human Services, Homeland 
Security, Housing and Urban Development, the Interior, Justice, Labor, the Navy, State, 
Transportation, the Treasury, and Veterans Affairs; and the Environmental Protection 
Agency, General Services Administration, National Aeronautics and Space Administration, 
National Science Foundation, Nuclear Regulatory Commission, Office of Personnel 
Management, Small Business Administration, Social Security Administration, and U.S. 
Agency for International Development. 


Page 1 


GAO-04-957T 




27 


testimony is based was performed from November 2003 through May 2004 
in accordance with generally accepted government auditing standards. 


Results in Brief 


Generally, CIOs were responsible for most of the 13 areas we identified as 
either required by statute or critical to effective information and 
technology management, and about 70 percent of the CIOs reported 
directly to their agency heads. However, two of the information and 
technology management areas — information disclosure and statistics — 
were the responsibility of fewer than half of the CIOs. While this 
alternative assignment of responsibility is not consistent with the statutes, 
the CIOs generally believed that not being responsible for certain 
information and technology management areas did not present a problem, 
in large part because other organizational units were assigned these 
duties. Views were mixed among current CIOs and former agency IT 
executives on whether a direct reporting relationship was crucial to the 
success of the CIO. In addition, current CIOs come from a wide variety of 
professional and educational backgrounds, and since the enactment of the 
Clinger-Cohen Act, the permanent CIOs who had completed their time in 
office had a median tenure of about 2 years. Agency CIOs’ average time in 
office, however, was less than the 3 to 5 years that was most commonly 
cited by both current CIOs and former agency IT executives as the amount 
of time needed for a CIO to be effective. This difference in tenure can 
negatively impact CIOs’ effectiveness and their ability to address the mqjor 
challenges they cited. These challenges include implementing effective IT 
management and obtaining sufficient and relevant resources. 

The Congress and federal agencies can take various actions to address our 
findings. First, as the Congress holds hearings on and introduces 
legislation related to information and technology management, there may 
be an opportunity to consider the results of this review and whether the 
existing statutory framework offers the most effective structure for CIOs’ 
responsibilities and reporting (i.e., to the agency head). Second, agencies 
can use the guidance we have issued over the past few years to address, 
for example, their IT management and human capital challenges. In 
addition, various mechanisms, such as human capital flexibilities, are 
available for agencies to use to help reduce CIO turnover or to mitigate its 
effect. 


Background 


Despite a substantial investment in IT, the federal government’s 
management of information resources has produced mixed results. 


Page 2 


GAO-04-957T 



28 


Although agencies have taken constructive steps to implement modem 
strategies, systems, and management policies and practices, we continue 
to find that agencies face significant challenges. 4 The CIO position was 
established by the Congress to serve as the focal point for information and 
technology management issues within an agency, and CIOs can address 
these challenges with strong and committed leadership. 

The Congress has assigned a number of responsibilities to the CIOs of 
federal agencies. (See app. I for a summary of the legislative evolution of 
agency CIO responsibilities.) In addition, we have identified other areas of 
information and technology management that can contribute significantly 
to the successful implementation of information systems and processes. 
Altogether, we identified the following 13 major areas of CIO 
responsibilities as either statutory requirements or critical to effective 
information and technology management: 5 

1T/IRM strategic planning. CIOs are responsible for strategic planning for 
all information and information technology management functions — 
referred to by the term information resources management (IRM) strategic 
planning (44 U.S.C. 3506(b)(2)!. 

IT capital planning and investment management CIOs are responsible for 
IT capital planning and investment management (44 U.S.C. 3506(h) and 40 
U.S.C. 11312 & 11313]. 

Information security. CIOs are responsible for ensuring their agencies’ 
compliance with the requirement to protect information and systems (44 
U.S.C. 3506(g) and 3544(a)(3)]. 

IT/JRM human capital. CIOs have responsibilities for helping their agencies 
meet their IT/IRM workforce needs (44 U.S.C. 3506(b) and 40 U.S.C. 
11315(c)]. 


4 U.S. General Accounting Office, High-Risk Series: An Update, GAO-03-1 19 (Washington, 
D.C.: January 1, 2003) and Major Management Challenges and Program Risks. A 
Government wide Perspective, GAO-03-95 (Washington, D.C.: January 1, 2003). 

‘Three areas of responsibility — enterprise architecture; systems acquisition, development 
and integration; and e-govemment initiatives — are not assigned to CIOs by statute; they are 
assigned to the agency heads by law or guidance. However, in virtually all agencies, the 
agency heads have delegated these areas of responsibility to their CIOs. 


Page 3 


GAO-04-957T 




29 


• Information collection/paperwork reduction. CIOs are responsible for the 
review of their agencies’ information collection proposals to maximize the 
utility and minimize public paperwork burdens [44 U.S.C. 3506(c)]. 

• Information dissemination. CIOs are responsible for ensuring that their 
agencies’ information dissemination activities meet policy goals such as 
timely and equitable public access to information [44 U.S.C., 3506(d)]. 

• Records management CIOs are responsible for ensuring that their 
agencies implement and enforce records management policies and 
procedures under the Federal Records Act [44 U.S.C. 3506(f)]. 

• Privacy. CIOs are responsible for their agencies’ compliance with the 
Privacy Act and related laws [44 U.S.C. 3506(g)]. 

• Statistical policy and coordination. CIOs are responsible for their agencies’ 
statistical policy and coordination functions, including ensuring the 
relevance, accuracy, and timeliness of information collected or created for 
statistical purposes [44 U.S.C. 3506(e)]. 

• Information disclosure. CIOs are responsible for information access under 
the Freedom of Information Act [44 U.S.C. 3506(g)]. 

• Enterprise architecture. Federal laws and guidance direct agencies to 
develop and maintain enterprise architectures as blueprints to define the 
agency mission and the information and IT needed to perform that 
mission. 

• Systems acquisition, development, and integration. GAO has found that a 
critical element of successful IT management is effective control of 
systems acquisition, development, and integration [44 U.S.C. 3506(h)(5) 
and 40 U.S.C. 11312]. 

• E-government initiatives. Various laws and guidance direct agencies to 
undertake initiatives to use IT to improve government services to the 
public and internal operations [44 U.S.C. 3506(h)(3) and the E-Govemment 
Act of 2002]. 


Page 4 


GAO-04-95 7T 



CIOs’ 

Responsibilities, 

Reporting 

Relationships, Tenure, 
and Challenges 


Agency CIOs Generally 
Were Responsible for Most 
Areas 


The agency CIOs were generally responsible for most of the 13 key areas 
we identified as either required by statute or among those critical to 
effective information and technology management, and most of these CIOs 
reported directly to their agency heads. We found that only 2 of these 13 
areas were cited as the responsibility of fewer than half of the CIOs, and 
19 of the CIOs reported directly to their agency heads. Their median 
tenure was about 2 years — less than the 3 to 5 years that Cl6s and former 
senior agency IT executives said were necessary for a CIO to be effective; 
this gap could be problematic because it could inhibit CIOs’ efforts to 
address m^jor challenges, including IT management and human capital. 


As figure 1 illustrates, CIOs were responsible for key information and 
technology management areas. In particular, 5 of the 13 areas were 
assigned to every agency CIO. These areas were capital planning and 
investment management, enterprise architecture, information security, 
IT/IRM strategic planning, and IT workforce planning. However, of the 
other 8 areas, 2 of them — information disclosure and statistics — were the 
responsibility of fewer than half of the CIOs. Disclosure is a responsibility 
that has frequently been assigned to offices such as general counsel and 
public affairs in the agencies we reviewed, while statistical policy is often 
the responsibility of separate offices that deal with the agency’s data 
analysis, particularly in agencies that contain Principal Statistical 
Agencies. 6 Nevertheless, even for those areas of responsibility that were 
not assigned to them, the CIOs generally reported that they contributed to 
the successful execution of the agency’s responsibility. 


Principal Statistical Agencies include the Bureau of Economic Analysis (Department of 
Commerce), Bureau of Justice Statistics (Department of Justice), Bureau of Labor 
Statistics (Department of Labor), Bureau of Transportation Statistics (Department of 
Transportation), Economic Research Service (Department of Agriculture), Energy 
Information Administration (Department of Energy), Environmental Protection Agency, 
Internal Revenue Service's Statistics of Income Division (Department of the Treasury), 
National Agricultural Statistics Service (Department of Agriculture), National Center for 
Education Statistics (Department of Education), National Center for Health Statistics 
(Department of Health and Human Sendees), Science Resources Statistics (National 
Science Foundation), Office of Policy (Social Security Administration), Office of 
Management and Budget (Executive Office of the President), and the U.S. Census Bureau 
(Department of Commerce) 


Page 5 


GAO-04-957T 



31 


Figure 1 : Number of CIOs Reporting That They Were Responsible for Each 
Information and Technology Management Area 

27 
27 

Information security 27 

IT/IRM strategic planning ■ 

IT/IRM workforce planning ■ 

Major e-gov initiatives ■ 

Systems acquisition, development end integration ■ 
information collection/paperwork reduction ■ 

Records management ■ 

Information dissemination ■ 

Privacy ■ 

Information disdosure/Freedom of information | 

Statistical policy and coordination ■ 

0 

Source: Agency CIOs. 

In those cases where the CIOs were not assigned the expected 
responsibilities, and they expressed an opinion about the situation, 7 more 
than half of the CIO responses were that the applicable information and 
technology management areas were appropriately held by some other 
organizational entity. Moreover, one of the panels of former agency IT 
executives suggested that not all 13 areas were equally important to CIOs. 
A few of the former agency IT executives even called some of the areas 
relating to information management a distraction from the CIO’s primary 
responsibilities. Those sentiments, however, are not consistent with the 
law, which envisioned that having a single official responsible for the 
various information and information technology functions would provide 
integrated management. 

Specifically, one purpose of the Paperwork Reduction Act of 1980 (PRA) is 
to coordinate, integrate, and — to the extent practicable and appropriate — 
make federal information resources management policies and practices 
uniform as a means to improve the productivity, efficiency, and 
effectiveness of government programs by, for example, reducing 
information collection burdens on the public and improving service 


Number ol CIOs 


Capital planning and investment management 
Enterprise architecture 


7 Out of a total of 69 possible responses (instances of CIOs without responsibility for one or 
more of the 13 information and technology management areas), in 42 instances CIOs 
expressed an opinion on whether they had any concerns with their agency’s assignment. 


Page 6 


GAO-04-957T 


32 


delivery to the public. Moreover, the House committee report 
accompanying the PRA in 1980 asserted that aligning IRM activities under 
a single authority should provide for both greater coordination among an 
agency’s information activities arid higher visibility for these activities 
within the agency. 8 

In addition to specifying areas of responsibility for the CIOs of major 
departments and agencies, the Clinger-Cohen Act calls for certain CIOs to 
have IRM as their primary duty.® All but a few of the agencies complied 
with this requirement The other significant duties reported by some CIOs 
generally related to other administrative or management areas, such as 
procurement and human capital. We'° and Members of Congress" have 
previously expressed concern about agency CIOs having responsibilities 
beyond information and technology management and have questioned 
whether dividing time between two or more kinds of duties would allow 
CIOs to deal effectively with their agencies’ IT challenges. 


CIOs Generally Reported Federal law— as well as our guide based on CIOs of leading private sector 
to Their Agency Heads organizations— generally calls for CIOs to report to their agency heads, 12 

forging relationships that ensure high visibility and support for far- 
reaching information management initiatives. Nineteen of the CIOs in our 
review stated that they had this reporting relationship. In the other 8 
agencies, the CIOs stated that they reported instead to another senior 
official, such as a deputy secretary, under secretary, or assistant secretaiy. 


®u.s. House of Representatives, Paperwork Reduction Act of 1980, House Report 9&-835, 
(Washington, D.C., Mar. 19, 1980). 

®The Clinger-Cohen Act requirement that agency CIOs have IRM as their primary duty 
applies to the major departments and agencies listed in 31 U.S.C. 901(b), which does not 
include the Department of Homeland Security or the Departments of the Air Force, the 
Army, and the Navy. 

10 U.S. General Accounting Office, Chief Information Officers: Ensuring Strong Leadership 
and an Effective Council, GAO/T-A1MD-98-22 (Washington, D.C.: Oct. 27, 1997). 

"U.S. Senate Committee on Governmental Affairs, Paperwork Reduction Act of 1995, 
Senate Report 104-8 (Washington, D.C., Jan. 30, 1995), 

l2 The Homeland Security Act of 2002 states that the CIO for the Department of Homeland 
Security shall report to the Secretary of Homeland Security or to another official as 
directed by the Secretary. As allowed by the law, the Secretary has directed the CIO to 
report to the Under Secretary for Management. 


Page 7 


GAO-04-957T 



33 


The views of current CIOs and former agency IT executives about whether 
it is important for the CIO to report to the agency head were mixed. For 
example, of the 8 CIOs who did not report directly to their agency heads, 
(1) 3 stated it was important or critical, (2) 2 stated it was not important, 
(3) two stated it was generally important but that the current reporting 
structure at their agencies worked well, and (4) 1 stated it was very 
important that a CIO report to at least a deputy secretary. In contrast, 15 of 
the 19 CIOs who reported to their agency heads stated that this reporting 
relationship was important 18 However, 8 of the 19 CIOs who said they had 
a direct reporting relationship with the agency head noted that they also 
reported to another senior executive, usually the deputy secretary or 
under secretary for management, on an operational basis. Finally, 
members of our Executive Council on Information Management and 
Technology told us that what is most critical is for the CIO to report to a 
top level official. The members of our panels of former agency IT 
executives also had a variety of views on whether it was important that the 
CIO report to the agency head. 


At the major departments and agencies included in our review, the current 
CIOs had diverse backgrounds, and since the enactment of the Clinger- 
Cohen Act, the median tenure of permanent CIOs whose time in office had 
been completed was about 2 years. 14 Both of these factors can significantly 
influence whether a CIO is likely to be successful. First, the background of 
the current CIOs varied in that they had previously worked in the 
government, the private sector, or academia, and they had a mix of 
technical and management experience. Virtually all of them had work 
experience and/or educational backgrounds in IT or IT-related fields. For 
example, 12 current agency CIOs had previously served in a CIO or deputy 
CIO capacity. Moreover, most of the CIOs had business knowledge related 
to their agencies because they had previously worked at the agency or had 
worked in an area related to the agency’s mission. 

Second, the median time in the position for agencies’ permanent CIOs was 
23 months. For career CIOs, the median was 32 months; the median for 
political appointees was 19 months. When asked how long a CIO needed to 


CIOs Have Diverse 
Backgrounds and 
Generally Remained in 
Office about 2 Years 


l3 One agency CIO stated that reporting to the CIO was not important, one CIO did not 
clearly address the question, and we not discussed this issue with two CIOs. 

14 We did not include acting CIOs in this calculation, unless the acting CIO was later put in 
the permanent position. Further analysis of tenure data is provided in appendix IV. 


Page 8 


GAO-04-957T 



34 


stay in office to be effective, the most common response of current CIOs 
and former agency IT executives was 3 to 5 years. Between February 10, 
1996 and March 1, 2004, only about 35 percent of the permanent CIOs who 
had completed their time in office reportedly had stayed in office for a 
minimum of 3 years. The gap between actual time in office and the time 
needed to be effective is consistent with the views of many agency CIOs, 
who believed that the turnover rate was high and that the political 
environment, the pay differentials between the public and private sectors, 
and the challenges that CIOs face contributed to this rate. 


Agency CIOs Face Major Current CIOs reported that they faced major challenges in fulfilling their 
Challenges duties. In particular, two challenges were cited by over 80 percent of the 

CIOs: implementing effective information technology management and 
obtaining sufficient and relevant resources. This indicates that CIOs view 
IT governance processes, funding, and human capital as critical to their 
success. Other common challenges they cited were communicating and 
collaborating internally and externally and managing change. Effectively 
tackling these reported challenges can improve the likelihood of a CIO’s 
success. The challenges the CIOs identified were as follows: 

IT Management. Leading organizations execute their information 
technology management responsibilities reliably and efficiently. A little 
over 80 percent of the CIOs reported that they faced one or more 
challenges related to implementing effective IT management practices at 
their agencies. This is not surprising given that, as we have previously 
reported, the government has not always successfully executed the IT 
management areas that were most frequently cited as challenges by the 
CIOs — information security, enterprise architecture, investment 
management, and e-gov. 16 

Sufficient and Relevant Resources. One key element in ensuring an 
agency’s information and technology success is having adequate resources 
available. Virtually all agency CIOs cited resources, both in dollars and 
staff, as mgjor challenges. The funding issues cited generally concerned 
the development and implementation of agency IT budgets and whether 
certain IT projects, programs, or operations were being adequately funded. 


I5 See, for example, U.S. General Accounting Office, High-Risk Series: Protecting 
Information Systems Supporting the Federal Government and the Nation’s Critical 
Infrastructures ; GAO-03-121 (Washington, D.C.: Jan. 1, 2003); GAO-04-49; GAO-04-40; and 
GAO-03-95. 


Page 9 


GAO-04-957T 



35 


We have previously reported that the way agency initiatives are originated 
can create funding challenges that are not found in the private sector. 16 For 
example, certain information systems may be mandated or legislated, so 
the agency does not have the flexibility to decide whether to pursue them. 
Additionally, there is a great deal of uncertainty about the funding levels 
that may be available from year to year. The government also faces long- 
standing and widely recognized challenges in maintaining a high-quality IT 
workforce. In 1994 and 2001, we reported the importance that leading 
organizations placed on making sure they had the right mix of skills in 
their IT workforce.’ 7 About 70 percent of the agency CIOs reported on a 
number of substantial IT human capital challenges, including, in some 
cases, the need for additional staff. Other challenges included recruiting, 
retention, training and development, and succession planning. 

Communicating and Collaborating. Our prior work has shown the 
importance of communication and collaboration, both within an agency 
and with its external partners. For example, one of the critical success 
factors we identified in our CIO guide focuses on the CIO’s ability to 
establish his or her organization as a central player in the enterprise. 18 Ten 
agency CIOs reported that communication and collaboration were 
challenges. Examples of internal communication and collaboration 
challenges included (1) cultivating, nurturing, and maintaining 
partnerships and alliances while producing results in the best interest of 
the enterprise and (2) establishing supporting governance structures that 
ensure two-way communication with the agency head and effective 
communication with the business part of the organization and component 
entities. Other CIOs cited activities associated with communicating and 
collaborating with outside entities as challenges, including sharing 
information with partners and influencing the Congress and the Office of 
Management and Budget (OMB). 

Managing Change. Top leadership involvement and clear lines of 
accountability for making management improvements are critical to 
overcoming an organization’s natural resistance to change, marshaling the 


16 U.S. General Accounting Office, Chief Information Officers: Implementing Effective CIO 
Organizations, GAO/T-AIMD-OO-128 (Washington, D.C.: Mar. 24, 2000). 

I7 U.S. General Accounting Office, Executive Guide: Improving Mission Performance 
Through Strategic Information Management and Technology, GAO/A1MD-94-1 15 
(Washington, D.C.: May 1, 1994) and GAO-01-376G. 

I8 GAO-Ol-376G. 


Page 10 


GAO-04-957T 



36 


resources needed to improve management, and building and maintaining 
organizationwide commitment to new ways of doing business. Some CIOs 
reported challenges associated with implementing changes originating 
both from their own initiative and from outside forces. Implementing 
major IT changes can involve not only technical risks but also 
nontechnical risks, such as those associated with people and the 
organization’s culture. Six CIOs cited dealing with the government’s 
culture and bureaucracy as challenges to implementing change. Former 
agency IT executives also cited the need for cultural changes as a major 
challenge facing CIOs. Accordingly, in order to effectively implement 
change, it is important that CIOs build understanding, commitment, and 
support among those who will be affected by the change. 


Actions Can Be Taken 
to Improve Agencies’ 
Information and 
Technology 
Management 


The Congress and agencies can take various actions to assist CIOs in 
fulfilling their vital roles. With respect to the Congress, hearings such as 
this, Mr. Chairman, help to raise issues and suggest solutions. Also, the 
report we are releasing today contains a Matter for Congressional 
Consideration in which we suggest that, as you hold hearings on and 
introduce legislation related to information and technology management, 
you consider whether the existing statutory requirements related to CIO 
responsibilities and reporting to the agency head reflect the most effective 
assignment of information and technology management responsibilities 
and the best reporting relationship. To further assist in your oversight role, 
as you requested, we are beginning work on the development of a set of 
CIO best practices, based on the practices of leading organizations in the 
private sector, to complement the report we are releasing today. 


Agencies, too, can take action to improve their information and 
technology management. First, to address concerns about the high CIO 
turnover rate, agencies may be able to use human capital flexibilities — 
which represent the policies and practices that an agency has the authority 
to implement in managing its workforce — to help retain its CIOs. For 
example, our model on strategic human capital management notes that 
recruiting bonuses, retention allowances, and skill-based pay can attract 
and retain employees who possess the critical skills the agency needs to 
accomplish its mission . 19 We have also issued several reports that discuss 
these issues in more depth and provide possible solutions and 


l9 U.S. General Accounting Office, A Model of Strategic Human Capital Management, 
GAO-02-373SP, Exposure Draft (Washington, D.C.: Mar. 15, 2002). 


Page 11 


GAO-04-957T 



37 


recommendations “ Second, we have issued various guides to assist CIOs 
in tackling the m^jor challenges that they have cited. This guidance 
includes (1) information security best practices to help agencies with their 
information security challenges; 21 (2) an IT investment management 
framework, including a new version that offers organizations a road map 
for improving their IT investment management processes in a systematic 
and organized manner, 22 and (3) a framework that provides agencies with a 
common benchmarking tool for planning and measuring their efforts to 
improve their enterprise architecture management. 23 


In summary, the report we are issuing today indicates that CIOs generally 
stated that they had most of the responsibilities and reporting 
relationships required by law, but that there were notable exceptions. In 
particular, some agency CIOs reported that, contrary to the requirements 
in the law, they were not responsible for certain areas, such as records 
management, and that they did not report to their agency head. However, 
views were mixed as to whether CIOs could be effective leaders without 
having responsibility for each individual area. In addition, most CIOs did 


20 See U.S. General Accounting Office, Human Capital: A Guide for Assessing Strategic 
Training and Development Efforts in the Federal Government, GAO-04-546G (Washington, 
D.C.: Mar. 1 2004), Human Capital: Selected Agencies’ Experiences and Lessons Learned in 
Designing Training and Development Programs, GAO-04-291 (Washington, D.C.: Jan. 30, 
2004), Human Capital: Key Principles for Effective Strategic Workforce Planning, 

GAO-04-39 (Washington, D.C.: Dec. 11, 2003), Human Capital: Insights for U.S. Agencies 
from Other Countries' Succession Planning and Management Initiatives, GAO-03-914 
(Washington, D.C.: Sept. 15 , 2003), Human Capital: Opportunities to Improve Executive 
Agencies' Hiring Processes, GAO-03450 (Washington, D.C.: May 30, 2003), Human Capital: 
OPM Can Better Assist Agencies in Using Personnel Flexibilities, GAO-03-428 (Washington, 
D.C.: May 9, 2003), and Information Technology Training: Practices of Leading Private- 
Sector Companies, GAO-03-390 (Washington, D.C.: Jan. 31, 2003). 

21 U.S. General Accounting Office, Executive Guide: Information Security Management- 
Learning from Leading Organizations, GAO/A1MD-98-68 (Washington, D.C.: May 1, 1998) 
and Information Security Risk Assessment Practices of Leading Organizations, 
GAO/A1MD-00-33 (Washington, D.C.: Nov. 1, 1999). 

“U.S. General Accounting Office, Information Technology Investment Management A 
Framework for Assessing and Improving Process Maturity, Version 1.1, GAO-04-394G 
(Washington, D.C.: Mar. 1, 2004). See also, U.S. General Accounting Office, Executive 
Guide: Measuring Performance and Demonstrating Results of Information Technology 
Investments, GAO/AIMD-9S-89 (Washington, D.C.: Mar. 1, 1998). 

a U-S. General Accounting Office, Information Technology: A Framework for Assessing and 
Improving Enterprise Architecture Management fl-'ersion 1.1), GAO-03-584G (Washington. 
D.C.: Apr. 1, 2003). 


Page 12 


GAO-04-967T 




38 


not stay in office for 3 to 5 years — the response most commonly given 
when we asked current CIOs and former agency IT executives how long a 
CIO needed to be in office to be effective. Agencies’ use of various 
mechanisms, such as human capital flexibilities, could help reduce the 
turnover rate or mitigate its effect. Reducing turnover among CIOs is 
important because the amount time CIOs are in office can affect their 
ability to successfully address the major challenges they face. Some of 
these challenges — such as how IT projects are originated — may not be 
wholly within their control. Other challenges — such as improved IT 
management — are more likely to be overcome if a CIO has sufficient time 
to more effectively address these issues. 

Mr. Chairman, this completes my prepared statement. I would be happy to 
respond to any questions that you or other Members of the Subcommittee 
may have at this time. 


Page 13 


GAO-04-957T 



39 


Legislative Evolution of Agency Chief 
Information Officer Roles and 
Responsibilities 


For more than 20 years, federal law has structured the management of 
information technology and information-related activities under the 
umbrella of information resources management (IRM). 1 Originating in the 
1977 recommendations of the Commission on Federal Paperwork, the IRM 
approach was first enacted into law in the Paperwork Reduction Act of 
1980 (PRA). 2 The 1980 act focused primarily on centralizing 
govemmentwide responsibilities in the Office of Management and Budget 
(OMB). The law gave OMB specific policy-setting and oversight duties 
with regard to individual IRM areas — for example, records management, 
privacy, and the acquisition and use of automatic data processing and 
telecommunications equipment (later renamed information technology). 
The law also gave agencies the more general responsibility to carry out 
their IRM activities in an efficient, effective, and economical manner and 
to comply with OMB policies and guidelines. To assist in this effort, the 
law required that each agency head designate a senior official who would 
report directly to the agency head to carry out the agency’s responsibilities 
under the law. 

Together, these requirements were intended to provide for a coordinated 
approach to managing federal agencies’ information resources. The 
requirements addressed the entire information life cycle, from collection 
through disposition, in order to reduce information collection burdens on 
the public and to improve the efficiency and effectiveness of government. 

Amendments to the PRA in 1986 and 1995 were designed to strengthen 
agency and OMB implementation of the law. Most particularly, the PRA of 
1995 provided detailed agency requirements for each IRM area, to match 
the specific OMB provisions. The 1995 act also required for the first time 
that agencies develop processes to select, control, and evaluate the results 
of major information systems initiatives. 

In 1996, the Clinger-Cohen Act supplemented the information technology 
management provisions of the PRA with detailed Chief Information Officer 
(CIO) requirements for IT capital planning and investment control and for 


‘IRM is the process of managing information resources to accomplish agency missions and 
to improve agency performance. 

2 P.L. 96-511, December 11, 1980. 


Page 14 


GAO-04-957T 



40 


performance and resuits-based management. 3 The 1996 act also 1 
established the position of agency chief information officer by amending 
the PRA to rename the senior 1RM officials CIOs and by specifying 
additional responsibilities for them. Among other things, the act required 
IRM to be the “primary duty” of the CIOs in the 24 major departments and 
agencies specified in 31 U.S.C. 901. Accordingly, under current law," 
agency CIOs are required to carry out the responsibilities of their agencies 
with respect to information resources management, including 

• information collection and the control of paperwork; 

• information dissemination; 

• statistical policy and coordination; 

• records management; 

• privacy, including compliance with the Privacy Act; 

• information security, including compliance with the Federal Information 
Security Management Act; 

• information disclosure, including compliance with the Freedom of 
Information Act; and 

• information technology. 


3 P.L 104-106, February 10, 1996. The law, initially entitled the Information Technology 
Management Reform Act (ITMRA), was subsequently renamed the Clinger-Cohen Act in 
P.L. 104-208, September 30, 1996. 

4 The E-Govemment Act of 2002 reiterated agency responsibility for information resources 
management. P.L. 107-347, December 17, 2002. 


Page 15 


GAO-04-957T 





41 


Together, these legislated roles and responsibilities embody the policy that 
CIOs should play a key leadership role in ensuring that agencies manage 
their information functions in a coordinated and integrated fashion in 
order to improve the efficiency and effectiveness of government programs 
and operations: 


(310469) 


Page 16 


GAO-04-957T 



GAO’s Mission 

The Government Accountability Office, the audit, evaluation and investigative arm 
of Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability of the 
federal government for the American people. GAO examines the use of public 
funds; evaluates federal programs and policies; and provides analyses, 
recommendations, and other assistance to help Congress make informed 
oversight, policy, and funding decisions. GAO’s commitment to good government 
is reflected in its core values of accountability, integrity, and reliability. 

Obtaining Copies of 
GAO Reports and 
Testimony 

The fastest and easiest way to obtain copies of GAO documents at no cost is 
through the Internet GAO’s Web site (www.gao.gov) contains abstracts and full- 
text files of current reports and testimony and an expanding archive of older 
products. The Web site features a search engine to help you locate documents 
using key words and phrases. You can print these documents in their .entirety, 
including charts and other graphics. 


Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site 
daily. The list contains links to the full-text document flies. To have GAO e-mail 
this list to you every afternoon, go to www.gao.gov and select “Subscribe to e-mail 
alerts” under the “Order GAO Products" heading. 

Order by Mail or Phone 

The first copy of each printed report is free. Additional copies are $2 each. A 
check or money order should be made out to the Superintendent of Documents. 
GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a 
single address are discounted 25 percent. Orders should be sent to: 


U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548 


To order by Phone: Voice: (202)512-6000 

TDD: (202) 512-2537 

Fax: (202) 512-6061 

To Report Fraud, 
Waste, and Abuse in 
Federal Programs 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470 

Public Affairs 

Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800 

U.S Government Accountability Office, 441 G Street NW, Room 7149 

Washington, D.C. 20548 


PRINTED ON 


RECYCLED PAPER 




43 


Mr. Putnam. Thank you very much. 

I want to thank all of you for your opening remarks, and at this 
time I will yield for the first round of questions to the ranking 
member, the gentleman from Missouri. 

Mr. Clay. Thank you, Mr. Chairman, and thank all the panelists 
for being here today. 

Mr. Johnson, GAO found that agency CIOs were unanimously re- 
sponsible for IT areas such as information security and IT invest- 
ment management, but were much less likely to be responsible for 
areas such as information disclosure or statistical policy, all of 
which they are statutorily responsible for. Should the CIOs be re- 
sponsible for each of these 13 areas, and are OMB or the CIO 
Council planning to respond to these findings? 

Mr. Johnson. Ask Karen Evans after me, and you should pay 
more attention to what she says than what I do. To answer your 
question, if that is the law, then that is what they are supposed 
to be doing, is one. I do think that 80+ percent of the value of a 
CIO is in those top four, five, or six categories. And when we have 
major problems in the IT arena, it is because we have a $100 mil- 
lion project that is producing nothing, or a $500 million project that 
is 2 years past due. And that is where the bigger numbers are and 
bigger opportunities to perform or fall behind. 

But in terms of the CIO Council addressing those particular 
things, I really don’t know. If it was agreed to that is what they 
are supposed to be doing, then that is what they are supposed to 
be doing. 

Mr. Clay. Let me ask you, then, a followup. Whose responsibility 
does it become to fulfill the CIO’s role when the position is vacant? 
And are there circumstances where the bureaucracy is demonstrat- 
ing better results in agencies where the CIO position is vacant? 

Mr. Johnson. When the position is vacant, the chief operating 
officer of an agency, which may be the head of a smaller agency 
or under secretary for management at larger departments will fill 
the vacancies. If there is a vacancy in a political position or a ca- 
reer position, the work is supposed to be go on. Big IT development 
projects are supposed to continue on budget and on schedule. We 
are supposed to be running these agencies, and they are respon- 
sible for designating somebody to serve in an acting capacity in the 
absence of a CIO; and it might be the deputy CIO, it might be 
somebody from the outside, it might be any number of different 
people. But we are not supposed to stop spending $60 billion wisely 
just because the CIO is missing. We hold the operating head of the 
agency responsible for everything that goes on in that agency, 
whether all his or her senior positions are filled or not. The ab- 
sence of people in those positions is not an excuse. 

Mr. Clay. OK, thank you for that response. 

And I will ask you, too, Ms. Evans. Welcome today. What about 
GAO’s findings that the agency CIOs were responsible for IT areas 
such as information security and investment management, but 
much less likely to be responsible for areas such as information dis- 
closure? 

Ms. Evans. In looking at those responsibilities — and I have had 
the opportunity to be an operational CIO, as well as being in com- 
ponent organizations, and I have had the opportunity to work with 



44 


statistical agencies. Statistical agency and policy coordination is 
usually jointly developed in those agencies where statistical agen- 
cies are present, because by law statistical agencies have informa- 
tion requirements that are levied on them, as well, as to how they 
need to protect that information before it is released out to the 
public. And so usually what will happen is those responsibilities 
will be jointly done. The two that you specifically mentioned are 
usually jointly done with the general counsel’s office and the CIO’s 
office, because there is an information dissemination piece where 
the CIO’s policies and rules and procedures would come in place, 
but there is also a programmatic piece associated with the manage- 
ment of that information. 

So I think those two areas really highlight the partnership that 
is required that a CIO must have into multiple program areas, be- 
cause we don’t necessarily have the expertise in all the program 
areas, so we have to partner with the appropriate expertise that we 
need. So there is a programmatic aspect to the two pieces that you 
have brought up that we would generally rely on general counsel 
advice as well as the statistical heads of the agencies as designated 
by law. 

Mr. Clay. OK, let me ask one last question. Do you believe the 
requirement to have agency CIOs report directly to the agency 
heads still make sense in today’s environment? 

Ms. Evans. I would like to think that the focus of this is that 
IT is a strategic asset, and so the agency head, or the chief operat- 
ing officer in this particular case, views IT as a strategic asset; 
therefore, the CIO would be involved in those. Do I think it is nec- 
essary that they directly report to the secretary? I don’t think that 
is the case. I think that what is important is the way that IT is 
managed within that agency, and that it is viewed as a strategic 
asset and that the CIO manages it that way with the appropriate 
staff. 

Mr. Clay. Thank you for your response. 

My time has expired. 

Mr. Putnam. Mr. Johnson, thank you again for being with us. If 
you would just step back and in your time you have had an oppor- 
tunity to evaluate this, see what is working, what is not working. 
If we were to make modifications to the law governing CIOs, what 
changes to the statute make the most sense for the operational 
day-to-day activities of making the Government work, holding it ac- 
countable, and running it efficiently? 

Mr. Johnson. Well, I have a better sense of what we need to 
make sure that all of this happens. If you are asking what of the 
Clinger-Cohen currently allows or doesn’t allow, I don’t know. But 
what I think the CIO needs to be able to do, and needs to be 
charged to do is to define really clearly what any dollars spent on 
IT is supposed to produce which is their most important role as I 
mentioned earlier. And oftentimes program managers say we need 
a new intelligence system or a new financial management system, 
and people start spending large sums of money before it is really 
clearly defined what it is that we are trying to accomplish. The 
CIO is the person that the head of the agency, Karen, all of you, 
and I should look to when we have IT projects that run amok, that 
are not producing defined goals with defined benefits at an accept- 



45 


able cost, on schedule. That is their primary responsibility, in my 
mind, and they are the ones that we should hold accountable for 
that. 

If they need extra authorities or extra tools to be able to do that, 
then we should allow that. I don’t know what Clinger-Cohen allows 
now or not, but I do know that all too often we are not a very good 
client; we don’t develop most of these systems ourselves, we hire 
other people to come in, we act as their client, and we work with 
them. The fact that we allow large, large sums of money to be 
spent on these projects that are years behind or have not achieved 
the functionality we expect, says that we are not as good a client 
and as good a spender of these resources as we should be. To me, 
we have to be a disciplined client and a disciplined spender. This 
means we have to be rigorously inclined to define what it is we con- 
sider success and what it is we are trying to accomplish: by when, 
for whom, and at what cost. And that is the discipline. That is the 
rigor that is missing, I think, between a really good spender of $60 
billion and a not-so-wonderful spender of $60 billion. 

Mr. Putnam. What is the best management tool to impose that 
discipline, that rigor, to have that accountability when programs do 
go south? And, frankly, it happens more frequently than any of us 
would like, and it involves an awful lot of commas and zeros. 

Mr. Johnson. I think it is a combination of things. I think one 
of the things the President’s management agenda points out is the 
value of clearly defining what you expect to achieve in human cap- 
ital, in IT or budget integration, or competitive sourcing. Then you 
can hold someone accountable for achieving it, and you give quar- 
terly updates on how good a job they are doing. So, for instance, 
one of the things that the President’s management agenda does is 
require the IT operations in the agencies to use Form 300’s, which 
develop really well thought-out business cases. Are the business 
cases acceptable or not; do they define the adequacy of the manage- 
ment of the project, the security provisions being made, the desired 
functionality, and so forth? How good are our business cases, and 
does the value of the system far exceed the cost? And we could talk 
about what percent of the business cases are acceptable or not. 
That is information, particularly with the bigger projects, that we 
probably ought to be more interested in and pay more attention to 
than we are. 

But I think one of the things we have done is start to publicize 
what percent of the case are acceptable or not and, what percent 
of the systems are secure. That information is public, and some 
agencies are great and some agencies are not so great. We ought 
to be kind of hard on the agencies that are not so great. We re- 
quired CIOs to utilize earned value management for all projects to 
determine whether projects are on budget and on schedule. And we 
keep track of what percent of the projects are within 30 percent of 
the planned budget and schedule, as an intermediate goal, and the 
ultimate goal is to get within 10 percent of the budget and sched- 
ule. That information ought to be made public; people ought to be 
held accountable for getting it to an acceptable level and holding 
it there. 

So it is a clear definition of success, and I think information 
about how good each CIO is or how good each agency is at achiev- 



46 


ing those standards should be made public. And we ought to be re- 
lentless about it. I think that we do a good job with the President’s 
management agenda, but it can be even more visible than what it 
is today, which is a charge to us. In the past, what I heard a lot 
of people say about management issues in general in the Federal 
Government was: we have always had goals, we have always said 
we want to accomplish this with GPRA, and we want to accomplish 
this with IT. What seems to be new in the last couple of years is 
that we are actually expecting people to achieve those goals, and 
we are actually defining more clearly what success means. We are 
publishing report cards, and we are publishing performance infor- 
mation and letting the American people and Congress know who is 
achieving those goals, who is not, and making it real clear that we 
expect people to produce results. 

There are things that we are employing now: earned value man- 
agement, Form 300’s, President’s management agenda. There have 
been other things as well that will allow us to do that even better. 
I don’t know that we necessarily mandate those by statute, but 
that discipline, I think is, in general, what is called for. 

Mr. Putnam. So the oversight, the scrutiny, and the publicity 
that arises from failing to meet those goals then is the accountabil- 
ity you speak of. 

Mr. Johnson. Yes. Karen and I have talked about understanding 
that the more money involved, the greater the risk. Maybe there 
is a second and a third level of quality control that should exist for 
large IT projects. How do we ensure that it happens? Do we require 
it? Do we suggest it? I don’t know yet. But whenever we are trying 
to write something new or develop a system, we are trying to do 
something that has never been done before, so there is risk in- 
volved. We must find out how to manage that risk. We just need 
to be more conscious of our track record, ensuring that it is not 
going to go awry. We need to try to do more things to make sure 
it doesn’t. So, to do so, we can identify where we do have problems, 
identify where we do have success, make sure that we spread our 
best practices and avoid our worst practices, and have lots of clar- 
ity and accountability. 

Mr. Putnam. Ms. Evans, having been on both sides of this, is 
there enough accountability in the system currently on individuals, 
on CIOs? 

Ms. Evans. I would say that right now, based on the statutes 
that we have in place, the authorities that are out there and the 
responsibilities that we have, it is very clear what we are supposed 
to do. I would echo the same comments that Mr. Johnson has just 
made. And I was obviously in the Federal Government when 
Clinger-Cohen was first passed, and have seen how it continues to 
progress and evolve the roles, but the difference now is the ac- 
countability. We always knew what we were supposed to do; we 
have always had an A-130. We have always had A-lls. We have 
always had the guidance going forward of what we were supposed 
to do, but now OMB has stepped up and the President, himself, 
with the scorecard is really in a very public way publishing what 
are the expectations, what do we expect agencies to do, how do we 
expect them to perform, and holding them accountable, meeting 
with them quarterly and asking them about the progress of how 



47 


they are going, giving us results that we can see, tangible results, 
not just telling us that they are doing it, but us actually can see 
it, because then, as the taxpayer, you will be able to see it as well, 
has really made a difference. 

And I have seen great, great changes that have occurred with the 
introduction of the scorecard, holding the agencies accountable, and 
it really has truly energized people within the agencies because 
they know at the highest ranks of the Federal Government their 
work is being looked at, and it is important and it is making a dif- 
ference. 

Mr. Putnam. So Clinger-Cohen, has it had its intended impact? 

Ms. Evans. I would say yes. And I would say that you are going 
to continue to see more things happen. I think that Congress, 8 
years ago, had the foresight to realize what information technology 
was going to do, the impact that it was going to have on the Fed- 
eral Government. But as we continue to evolve and as you see tech- 
nology continues to just morph and morph and morph, that it has 
had the impact; it has heightened the awareness, it has made 
agencies’ officials be held accountable, and we are introducing more 
and more tools so there is more clarity to what the intent of 
Clinger-Cohen really was meant to be. 

Mr. Putnam. The A-130 was last revised in late 2000. Is it out- 
dated, it is in need of revision, or is it OK the way that it is? 

Ms. Evans. You are right, it has not been updated since 2000; 
however, as each piece of legislation comes out, we have imple- 
mented policy guidance to deal with the implementation of that 
legislation. We are in a review process for it right now to see if we 
really do need to update it, but there are no policy gaps as far as 
guidance to the agencies are concerned, because we have issued 
those. We are reviewing it. If we were to update it, it wouldn’t hap- 
pen until the next fiscal year, going into the next fiscal year. 

Mr. Putnam. Mr. Powner, you pointed out the turnover in the 
CIOs in your report. 

Mr. Johnson, we have had hearings about this at all levels of the 
Federal Government, the human capital problems. 

How big a deal is it? Is it typical of what we are seeing across 
the Federal Government, a little bit better, a little bit worse, is it 
a crisis, is it one of many problems? How would you characterize 
it? 

Mr. Johnson. I know in the political appointees in general, their 
adage is — which is what I was involved in with the President when 
he first came to office — the average time supposedly that somebody 
stays in a political position is 2 V 2 years or so, and the general rea- 
sons given for that is this is hard work, the volume of work, the 
public scrutiny, it is hard. You have been here long than I have. 
And it doesn’t mean necessarily someone leaves, but they stay in 
one job on point 11, 12 hour days, and 2 V 2 years plus or minus, 
then they tend to move to something else or the good ones are 
asked to do something else, whatever, but 2 V 2 years. So the fact 
that the turnover for CIOs is 2 years doesn’t strike me as being 
dramatically different. 

I know of CIOs who, in general, can come in and have a huge 
impact on an organization within months, and I know other CIOs 
that can come into an organization and be there for 3 or 4 years 



48 


and have little impact. So I wish CIOs in general would be there 
3 or 4 years, versus one or two, but I am not sure there is a direct 
correlation between time on the job and their effectiveness. 

This is a very hot market, and I don’t know what impact the IT 
and the Internet growth of the industry in the late 1990’s had on 
turnover. I would think it would be hard for us to compete with 
people that are hiring our CIOs and paying them lots of money and 
lots of stock options and so forth. It would be easier when the mar- 
ket is not heated up like that. 

I don’t know that there is any immediate, direct problem with 
CIO turnover, because I think a good CIO can come in and have 
an impact in a very short period of time. I think the primary thing 
is being able to hire them initially and get them on board in a 
hurry, more so than once they are here, keeping them and letting 
them grow into the job. We spend so much money in almost every 
agency; we don’t need to be hiring CIOs that can take 18 months 
to get up to speed. Invariably, when they walk in on the job, they 
have tens of millions of dollars of projects that need to be managed 
and huge issues bigger than anything they have ever faced, and 
they need to be effective pretty much within the first couple of 
weeks. 

Mr. Putnam. Ms. Evans, you chair the CIO Council. How would 
you characterize the turnover issue? 

Ms. Evans. I think it is indicative of the marketplace of where 
we are competing. Is it a problem that their turnover is every 18 
months? Again, I would re-echo the same comments that Mr. John- 
son did. When you come into the job, you have to be able to hit the 
ground running. You could be there 3, 4, 5 years and not be a very 
effective person, and not just as CIO, but in any position. So do I 
see a change on the Council? They come in, we come in, we bring 
them up to speed, we make sure that the best practices are there 
so that they have everything that they need to hit the ground run- 
ning. But for the most part, do I think that it impacts our overall 
performance on the Council? I would say no, because we have our 
processes and our procedures and our best practices; we continue 
to evolve those. We have those in place so that we can ensure that 
the turnover doesn’t impact the functioning of the Council. 

Mr. Putnam. Mr. Powner, do you agree with that? 

Mr. Powner. In terms of the tenure and the turnover with the 
CIOs, a couple things that we heard that actually could help to 
mitigate some of the transition periods is the deputy CIO position. 
Many CIOs mentioned to us the importance of that position. The 
other thing that is very important, and this is in line with what 
Ms. Evans is saying here, is when we have performance-oriented 
goals, such as the E-Gov section of the PMA, which really covers 
a number of those top seven areas there, that keeps the focus on 
several key IT management areas, whether we have turnover or 
not. That is very important. Your grades, that is another area. 
Folks are very focused on those grades, whether we have turnover 
at the CIO position or not, because the heads of those agencies are 
clearly focused on those grades and those scores. 

Mr. Putnam. Thank you all very much. We have three panels 
today, so we are going to move right along. I really appreciate all 
of you coming down and spending some time with the subcommit- 



49 


tee. These are important issues and you have all been very sup- 
portive of this subcommittee’s agenda in working together with you 
to improve our IT efficiency. 

So the subcommittee will stand in recess and we will arrange for 
the second panel. 

[Recess.] 

Mr. Putnam. If the witnesses and anyone accompanying them 
will please rise and raise your right hands. 

[Witnesses sworn.] 

Mr. Putnam. Note for the record that all of the witnesses re- 
sponded in the affirmative. We will move immediately into testi- 
mony. 

I would like to welcome our witnesses for this panel and intro- 
duce Paul Brubaker. Mr. Brubaker served as executive vice presi- 
dent and chief marketing officer for IS International. He has re- 
sponsibility over marketing and helps guide IS toward future op- 
portunities. He joined IS with over 16 years of experience in gov- 
ernment services and the public sector. As the former deputy CIO 
for the Department of Defense, Mr. Brubaker was the Department 
of Defense’s second highest ranking technology official. 

Welcome to the subcommittee. You are recognized for 5 minutes. 

STATEMENTS OF PAUL BRUBAKER, EXECUTIVE VICE PRESI- 
DENT AND CHIEF MARKETING OFFICER, IS INTERNATIONAL; 

JAMES FLYZIK, PARTNER, GUERRA, KIVIAT, FLYZIK & ASSO- 
CIATES; AND DEBRA STOUFFER, VICE PRESIDENT OF STRA- 
TEGIC CONSULTING SERVICES, DIGITALNET 

Mr. Brubaker. Thank you, Mr. Chairman, Mr. Clay, and mem- 
bers of the subcommittee. I am here today speaking as a citizen. 
These are my own views and do not reflect those of my firm, per 
my general counsel. 

I was originally involved in developing the Clinger-Cohen provi- 
sions, including the CIOs and the deputy CIO provisions that were 
in the report language, as well as served at DOD, so I think I have 
a fairly unique perspective on both the formulation of the legisla- 
tion and how it is applied at the largest Federal agency. 

I would like to commend you, Mr. Chairman and Mr. Clay, as 
well as the General Accounting Office, for convening this hearing 
today and undertaking this review. I would like to point out that — 
you see these outlined over here in the chart that GAO put for- 
ward — work before programs run amok, not after they run amok. 
Management is another area responsibility in developing and en- 
hancing architectures, including operational architectures, and 
standards is absolutely key, encouraging and ensuring process 
change throughout the organization, and the intent was for vision- 
aries and strategic thinkers as it relates to applying information 
technology in the enterprise. What is the most useful reporting 
structure? Simply reporting to the agency head. GAO made ref- 
erence to a chief operations officer in their report today, which I 
believe to be an excellent idea and merits further study. Now, 
should a COO be established, then I would highly recommend that 
both the CIO and the CFO report directly to that person. 

The bottom here is that a seat at the management table is abso- 
lutely critical for a CIO to be effective; they should be tantamount 



50 


to the financial officer in terms of the organizational structure. 
Wherever that CFO reports, the CIO should report as well. 

You asked about the specific duration of time in which a CIO 
must remain in their position to be most effective. Honestly, it has 
to be longer than 19 to 32 months, as was outlined in the report, 
especially given the fact that the general consensus out there in 
the management circles is that you need 3 to 5 years to be effec- 
tive. I would highly recommend term appointments on the part of 
CIOs, certainly greater than 6 years, no more than 12; can be re- 
appointed; perhaps some perks related to retirement that would at- 
tract some of the best and brightest of that position. 

You asked about characteristics and qualifications that a CIO 
should possess. Simply put, knowledge of applied technology and a 
nose for transformation, a desire and a passion to reform, and busi- 
ness acumen. It is absolutely critical that if they are operating the 
capital planning and investment control process, that they under- 
stand concepts like risk management, risk mitigation, return on in- 
vestment, and so forth. 

Major challenges? In a word I can sum it up: culture. The culture 
of the organization, when we introduced the concept of CIO, was 
not all-embracing, and basically what you have is an information- 
aged position that we are putting into an industrial-aged bureauc- 
racy, and, frankly, it has been difficult and a long road to get it 
to work. 

And I would be pleased to answer any questions that you may 
have. 

[The prepared statement of Mr. Brubaker follows:] 



51 


Statement of Paul Brubaker 

before the 

Committee on Government Reform 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census 
Congressman Adam H. Putnam, Chairman 

on 

Evolving Role of federal Chief Information Officers 

July 21, 2004 



52 


Mr. Chairman, Members of the Subcommittee, my name is Paul Brubaker, and 1 am 
Executive Vice President and Chief Marketing Officer for SI International, an 
information technology firm with headquarters in Reston, Virginia. 

This afternoon, however, 1 am testifying on behalf of myself as a former Congressional 
Staff Member who participated extensively in formulating the Clinger-Cohen Act of 
1996 which included information technology-related policies and the establishment of 
Chief Information Officers. I am also the former Deputy Assistant Secretary of Defense 
(Deputy Chief Information Officer). I believe that my unique blend of legislative and 
executive branch experience as it relates to the Clinger-Cohen Act could be helpful in 
examining the evolution of the Chief Information Officer (CIO) position within the 
federal government. The statements and views I express today are my own and do not 
represent the views or opinions of my current employer. 

Mr. Chairman, your invitation requested that I address five topics related to the role of 
the CIO in the federal government. The five topics are: 

1) What responsibilities of federal CIOs are the most critical to the success of their 
organization? 

2) What is the most useful reporting structure for a CIO within a government agency 
to achieve these responsibilities? 

3) Is there a specific duration of time in which a CIO must remain in their position to 
be most effective? 

4) What characteristics and qualifications should a CIO possess? 

5) What are the major challenges that CIOs face? 

I will address these issues in order. 

What responsibilities of federal CIOs are the most critical to the success of their 
organization? 

As envisioned under the Clinger-Cohen Act, a federal CIO’s most important 
responsibility is to conduct capital planning and investment control (also known as 
portfolio management) of their agency’s information technology budget. Although there 
are clearly other responsibilities outlined in the legislation, we felt that the effective 
management of agency technology investments would enable government agencies to 


2 



53 


realize the significant measurable improvements in their mission performance and 
customer and citizen satisfaction. 

We believed that CIOs would act in concert with the Office of Management and Budget 
(OMB) and their respective agency heads to develop and drive investment guidance in 
functional areas within their departments. The Act’s intent is for CIOs to develop 
integrated information technology architectures for their departments that would drive 
investment. Moreover, we envisioned that CIOs and CFOs would work together to fully 
integrate business and financial systems and to establish systems to track and report on 
measurable improvements in performance. The legislation encourages CIOs to develop 
agency-wide guidance that requires individual projects to have sound operational 
architectures. This would enable the efficient re-engineering of business processes before 
investing in technology. It also provides a structure for developing sound business cases, 
ensuring adequate security (i.e., having a security architecture for a project), and 
conducting risk assessments and risk mitigation plans. 

We further intended that CIOs would act as an agency oversight mechanism to work with 
the functional owners of information technology (IT) systems to ensure that they knew 
the criteria required before approval of a system investment. 

Furthermore, as part of their capital planning and investment control responsibilities, a 
CIO should be able to come before a Congressional Committee, such as this, outline their 
agency’s top ten investments in information technology, and detail anticipated results of 
those IT investments in terms of specific measurable performance improvements, 
qualitative and quantitative. 

CIOs’ second most important responsibility is providing strategic leadership to the 
agency management table. CIOs are to work with functional owners within their 
agencies to help them determine where re-engineering processes and applying 
technologies can improve network performance and efficiencies. 

Additionally, CIOs should spearhead the development and application of best practices 
from the private sector, other government agencies, and non-profit organizations. 
Clinger-Cohen encourages CIOs to become advocates for transforming government 
through the adoption of best practices. As an aside, when I took on an advocate role for 
best practices during my tenure at the Pentagon, a very senior political appointee within 
the Defense Department’s Comptroller organization told me, “that stuff may work with 
the private sector, but that isn’t how we do business in this building.” 

It is interesting to note that in the original version of the Information Technology 
Management Reform Act (ITMRA) of 1995, which served as the basis for the ITMRA 
version incorporated into Clinger-Cohen, had a requirement for a federal CIO. This 
original version of ITMRA proposed making the federal CIO position a Presidential 
Appointment that required Senate Confirmation and reported directly to the head of 
OMB. This person would have been responsible for assisting all of the departmental and 
agency CIOs in meeting the requirements of the law. Moreover, the federal CIO was to 


3 



54 


ensure that agencies were applying best practices across common functional areas and 
would have been responsible for approving all high risk programs in excess of $100 
million. 

In its current form, the Clinger-Cohen Act clearly states that information resources 
management is the “primary” responsibility of a federal CIO. The law’s intent is to 
prevent the CIO from “wearing two hats” - that is holding two positions at the same time. 
The CIO should be a stand-alone position. In fact, the earlier versions of Clinger-Cohen 
that we proposed to the Administration officials at the time stated that information 
resources management (IRM) would be the “exclusive” duty of the CIO, because we did 
not want CIOs focused on duties outside of their core responsibilities. In the end, we 
compromised on this point, because it was argued that this language would limit CIOs 
from being “free to lead the Combined Federal Campaign on behalf of their 
organization.” Since it seemed reasonable at the time, we regretfully negotiated the 
exclusivity clause out of the final version of the Act and it became an accepted practice to 
“dual hat” CIOs. 


What is the most useful reporting structure for a CIO within a government agency 
to achieve these responsibilities? 

Clinger-Cohen clearly envisions that agency CIOs will report directly to the Agency 
head. If you carefully examine the law’s structure, the performance accountability rests 
with the agency head, and the CIO is delegated the responsibility and, presumably, the 
authority to implement the provisions of the legislation on behalf of the agency head. 

The Act anticipates that CIOs would have an equal seat at the agency management table 
as the Chief Financial Officer. In retrospect, it may have been a little nai ve to believe 
that any function within a federal agency would be on the same level as the financial 
professionals who, based on my experience, hold the power of the purse and 
consequently have better access to and influence with the agency head. 

One major requirement of Clinger-Cohen, which is usually ignored, is for the integration 
of financial systems with the management systems of government. In particular, Section 
5122 of the Act states that the process for conducting capital planning and investment 
control at an agency “be integrated with the processes for making budget financial and 
program management decisions within the executive agency.” This is reiterated in the 
Conference Report language, which in its description of Section 5126, says “The 
conference agreement includes a provision that would require the head of each agency, in 
consultation with agency Chief Information Officers and Chief Financial Officers, to 
ensure the integration of financial and information systems.” 

Irrespective of practice, Congress’ intent is clear. The CIOs were to report directly to the 
agency head, have a seat at the management table, and have visibility and ability to exert 
oversight and control over the agency’s major technology investments. 


4 



55 


Is there a specific duration of time in which a CIO must remain in their position to 
be most effective? 

The draft GAO report highlighted the relatively short tenures of most CIOs. This is a 
critical issue that merits attention. However, 1 believe that it is an effect of multiple 
causes. First, political appointees rarely serve longer than the term of the Administration 
that appointed them. This was the main reason for my departure as Deputy Chief 
Information Officer of the Department of Defense. Secondly, those coming from outside 
the government get into office expecting to have a set of responsibilities and authority as 
outlined in the law and, instead, find that many people within the organization have 
similar responsibilities and authority, which can reduce their perception of the position’s 
importance. By contrast, I believe that the career CIOs who are more familiar with these 
government structures manage their expectations accordingly and are much less 
frustrated by the process. They also understand the agency’s political landscape. 
Consequently, career federal CIOs manage their expectations accordingly and are 
probably more effective in pursuing their agendas - which may or may not be consistent 
with Clinger-Cohen’s true intent. 

Finally, many CIOs find themselves burdened with the responsibility for matters over 
which they have neither the personnel nor financial resources to effectively manage. One 
such area is security. Often, when there is an IT-related issue, the CIO is normally tasked 
with fixing the problem. While it is appropriate for the CIO to issue security policy and 
create mechanisms to enforce the policy, in most cases they are and should be powerless 
to fix security IT problems. Again, the Act does not contemplate CIOs as being 
operators, but rather overseers and thought leaders who add strategic value to their IT 
operations. And again, it is appropriate for an operational unit or agency charged with 
the implementation and management of the enterprise infrastructure (and by association 
security) to report directly to the CIO. 

I believe that the additional burdens placed upon CIOs combined with the fact that they 
are not in the influential positions envisioned by the Act has resulted in many federal 
CIOs leaving prematurely after relatively short tenures. 

Based on my observations since the Act’s passage, I now believe that Chief Information 
Officers’ term lengths should be set by law. Specifically, I feel that CIOs should be 
Presidential appointments with fixed terms that are renewable. These terms should be 
more than six years, but no more than twelve years. Also, there should be special 
provisions for retirement prerequisites to entice highly qualified applicants, and these 
retirement benefits should be contingent upon the completion of their terms. I would 
further recommend that Section 5125’s CIOs should also be subject to Senate 
confirmation. 


5 



56 


What characteristics and qualifications should a CIO possess? 

Chief Information Officers in the federal government should have a strong understanding 
of process improvement, and know how the application of technology can transform 
organizations’ operational effectiveness. As a practical matter, they must be able to 
develop and enforce standards and criteria that improve the effectiveness of agency 
technology investments. 

A background and familiarity with the concepts of portfolio management, risk 
management, architecture and process re-design are also critical. This person should be a 
manager first and a technologist second. This is an important point - CIOs should know 
about how the technology is applied rather than the mechanics of how the underlying 
technology works. This role is not about “bits and bytes” - it is about improving the 
business. CIOs must also balance the position’s management requirements with 
diplomatic skills to develop an effective governance program that includes key functional 
program areas and their organizations’ stakeholders. The CIO’s failure to gain consensus 
and acceptance from the functional areas of the agencies will minimize the CIO’s overall 
effectiveness. 

The Clinger-Cohen Act outlined the requirements and background required for both the 
CIO and Deputy CIO. These two positions should lead any capital planning and 
investment control activity 

The legislation included a specific “Duties and Qualifications” in Section 5125(c). 

(c) DUTIES AND QUALIFICATIONS - The Chief Information Officer of 
any agency that is listed in section 90 1 (b) of title 3 1 , United States Code, 
shall - 

(1) gave information resources management duties as that official’s 
primary duty; 

(2) monitor the performance of information technology programs of the 
agency, evaluate the performance of those programs on the basis of the 
applicable performance measurements, and advise the head of the 
agency regarding whether to continue, modify, or terminate a program 
or project; and 

(3) annually, as part of the strategic planning and performance evaluation 
process required (subject to section 1 1 1 7 of title 3 1 , United States 
Code) under section 306 of title 5, United States Code, and sections 

1 1 05(a)(29), 1 1 1 5, 1 1 1 6, 1 1 1 7, and 9703 of title 3 1 , United States 
Code - 

(A) assess the requirements established for agency personnel 
regarding knowledge and skill in information resources 
management and the adequacy of such requirements for 
facilitating the achievement of the performance goals 
established for information resources management; 


6 



57 


(B) assess the extent to which the positions and personnel at the 
executive level of the agency and the positions and personnel 
at management level of the agency below the executive level 
meet those requirements; 

(C) in order to rectify any deficiency in meeting those 
requirements, develop strategies and specific plans for hiring, 
training, and professional development; and 

(D) report to the head of the agency on the progress made in 
improving information resources management capability. 

The Conference Report additionally states that, “CIOs will possess knowledge of, and 
practical experience in, information technology management practices of business or 
government entities.” 

Also interesting are the Deputy CIO qualifications as described in the Conference Report, 
which reflect the priorities where CIO organizations should devote the most attention. 
Specifically, the Conference Report says that “the conferees intend that the deputy chief 
information officers... have additional experience in business process analysis, software 
and information systems development, design and management of information 
technology architectures, data and telecommunications management at government or 
business entities.” 

I would also promote that one of the most important qualities for the CIO to posses is to 
be a visionary leader as it relates to the use of technologies within their organization. A 
well thought-out strategic vision from the CIO, which should be articulated in the 
agency’s IT strategic plan as required under the Act, should provide the roadmap for all 
of those in the various functions that use IT to follow. This pronounced vision should 
ensure that everyone is working together toward the same goal and promotes a 
collaborative atmosphere. 

What are the major challenges that CIOs face? 

The CIOs in the federal government face a myriad of challenges. They can all be 
summed up in one phrase “cultural resistance to change.” The government has some 
structural management challenges, the first of which is the fact that most departmental 
organizations reflect Industrial Age management structures and practices, rather than 
those of the Information Age. It, therefore, is no surprise that we cannot achieve 
“Information Age” results with an “Industrial Age” bureaucracy. Properly addressing 
these structural and reporting issues is likely to take a long time. 

The GAO report before you, at least in its draft form, mentions the position of Chief 
Operating Officer, who, as in the private sector, would presumably have the Chief 
Financial Officer (CFO), CIO, Chief Human Resources Officer (CHRO) and Chief 
Procurement Officer (CPO) all reporting to this one individual. Based on my two 
decades of experience working in and with the federal government, I think this is an 
excellent idea and merits serious consideration. However, 1 would strongly recommend 


7 



58 


that Agency Chief Operating Officers, as well as all CFOs, CIOs, CHROs, and CPOs, be 
Presidential Appointments that are confirmed by the Senate for periods of more than six, 
but no more than twelve years. These officers could also be re-appointed once their 
terms expire, and the terms should be staggered across the agency positions. The bottom 
line, from my perspective, is that the structure of most federal agencies would benefit 
enormously from such reforms. 

Former Senator William S. Cohen (R-ME), my boss when Clinger-Cohen was passed, 
was very clear and realistic about his concerns regarding the government’ s cultural 
impediments to the Act’s success. Just before the Act’s enactment date, the Senator said, 
“(w)e must understand that the statutory changes made by the new law are only half the 
battle. The other half involves changing the management and organizational culture in 
agencies, OMB and within Congress. Overcoming cultural barriers will require the 
commitment of management at the highest levels of the federal government.” 

Senator Cohen was right, and this culture of resistance to change remains the other half of 
the battle that we have yet to fully win. 

Mr. Chairman and Members of the Subcommittee, I look forward to answering any of 
your questions. 


8 



59 


Mr. Putnam. Thank you very much. 

Our second witness is James Flyzik. Mr. Flyzik is a partner in 
a consulting company he co-founded. Before this, he served as Sen- 
ior Advisor to Governor Ridge in the Office of Homeland Security. 
He provided advice on the national strategy and information man- 
agement. Prior to that, he was the Chief Information Officer for the 
Department of the Treasury. 

Welcome to the subcommittee. You are recognized for 5 minutes. 

Mr. Flyzik. Mr. Chairman, Mr. Clay, distinguished members of 
the subcommittee, it is my pleasure to testify today on issues of 
critical importance to achieving world-class performance within 
Government agencies. I have been involved in information tech- 
nology issues during my entire 27-year government career, and I 
now work in the private sector to find ways to help make govern- 
ment IT programs succeed. I applaud the subcommittee for making 
these issues a priority. 

I had the honor and privilege to work for the public for over 27 
years as a career civil servant. I held senior information technology 
positions at Secret Service, Department of Treasury, CIO, served as 
Vice Chair of the Federal CIO Council from 1998 until 2002. I also 
had the privilege to head up the IT team during the reinventing 
government program and served on the administration’s team dur- 
ing the crafting of the Information Technology Reform Act, the 
Clinger-Cohen legislation. I finished my career as an IT advisor to 
then Governor Ridge, following the terrorist attacks of September 
11. In all these roles, the empowerment of Federal CIOs was the 
key issue that impacted program success. 

My message today is simple: If the Government is to take full ad- 
vantage of the power of IT, it must make achieving world-class IT 
implementation a priority on the agenda of the heads of our Gov- 
ernment agencies. I believe progress to date has been good, but far 
short in what is needed and far short of what Clinger-Cohen origi- 
nally envisioned. Many CIOs today find themselves being held re- 
sponsible and accountable for results, but lack the authority to im- 
pact the programs they are expected to implement. 

I participated in the GAO study of these issues. With that, I will 
address the five questions posed by the subcommittee. 

What are the responsibilities of a Federal CIO most critical to 
success? The CIO must be responsible to bring best-in-class IT 
practices to Government agencies. This implies responsibility for 
gaining detailed understanding of the key critical mission objec- 
tives and defining how IT can realize these objectives. If we are to 
hold CIOs accountable for program performance, then we need to 
empower them to make strategic decisions about resources. This 
means responsibilities for IT capital planning, investment deci- 
sions, budget execution, program and portfolio management. I 
would also suggest that an important responsibility for a CIO is to 
become credible in an agency and part of that senior team making 
strategic business decisions. This means becoming credible to sen- 
ior political executives, career executives, middle management, and 
subordinates. Only when a CIO is seen as a key player can he or 
she be influential in getting results. A CIO will gain this credibility 
by understanding the business objectives of the agency and how IT 
can add value to meeting those objectives. 



60 


On the question of reporting structure, a CIO that reports to the 
agency head immediately gains the empowerment of being on the 
senior leadership team if that CIO has a seat at the table. A seat 
at the table means being part of the strategic decisionmaking, not 
merely a line on an organization chart. Can other organizational 
models work? Yes, but only when the CIO gains the empowerment 
to effectuate change and is seen as part of that senior leadership. 
For example, during my tenure as CIO at Treasury, I reported on 
a dotted line to the secretary for all IT matters, but administrative 
reporting was through an assistant secretary. Yet I believe this 
worked. Why? Because the assistant secretary made it clear to all 
subordinate bureaus that all IT budget and program decisions 
needed to be approved by the CIO. In this case, it wasn’t structure 
that empowered, it was process. But I must also point out that em- 
powerment doesn’t guarantee results. Empowerment provides the 
opportunity for results. A competent CIO will get the results. 

In reference to the question of time duration, I believe a CIO 
cannot achieve any meaningful results if they are in that role less 
than 2 years, based on budget and procurement cycles. On the 
other hand, I also believe it is in the best interest of Government 
agencies to bring in fresh ideas over time. I believe it a good prac- 
tice to rotate CIOs and into key CIO Council executive committee 
positions to encourage the development of alternative viewpoints. I 
believe CIOs should be rewarded for innovative and creative enter- 
prise approaches such as heading up governmentwide initiatives. 

In addressing the question of characteristics and qualifications, 
I would like to point out that the Federal CIO Council invested a 
great deal of time identifying many of the technical and business 
skill sets required to be a successful CIO. Universities now teach 
these. But rather than reiterate these well documented qualifica- 
tions, I would like to point out that a good CIO needs to under- 
stand technology, but, more importantly, how to apply that tech- 
nology to solve business problems. A good CIO has technical skills, 
finds ways to stay current on technology, understand business 
practices and business skills such as financial management, and 
know how to build relationships, relationships with Congress, top 
managers in the agency, the private sector, and their peers. 

Challenges they face are numerous and dynamic. The delicate 
balance of privacy versus national security, interoperability, infor- 
mation sharing. But in my opinion, the most challenging issue is 
the need to use technology to challenge and change agency cul- 
tures, traditional institutionalized processes. We have seen major 
programs continually plagued with cost overruns and time delays. 
We see now new powerful approaches such as performance-based 
acquisitions to address these. The concept is simple, yet imple- 
menting these concepts requires not just the CIO. 

Mr. Chairman, to sum up, if UPS and the Federal Express can 
tell you where and when your package is located at any point in 
time during shipment with a click of a mouse, why can’t Govern- 
ment tell you when your tax return will arrive, how to change your 
mailing address without going agency by agency, when your street 
will be cleared from snow? Citizens demand and expect fundamen- 
tal government information in realtime. 



61 


I thank the subcommittee for giving me this opportunity to make 
my points, and I look forward to working with you in any way I 
can to help move these important issues forward. I would be happy 
to answer questions when appropriate. 

[The prepared statement of Mr. Flyzik follows:] 



62 


STATEMENT OF JIM FLYZIK 
PARTNER, GUERRA, KIVIAT, FLYZIK AND ASSOCIATES 
BEFORE THE GOVERNMENT REFORM COMMITTEE’S SUBCOMMITTEE 
ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL 
RELATIONS AND THE CENSUS 
JULY 21, 2004 

Mr. Chairman and distinguished members of the Subcommittee: 

It is my pleasure to be here today to testify on issues of critical importance to acheiving 
world class performance within government agencies. I have been involved in 
Information Technology issues during my entire 27 year government career. I now work 
in the private sector to find ways to help make government IT programs succeed. I 
applaud this subcommittee for making these issues a priority. 

I had the honor and privilege to work for the public for over 27 years as a career civil 
servant. I held senior Information Technology positions in the U.S. Secret Service, 
served as the Department of Treasury CIO from 1997 until 2002, and also served as the 
Vice Chair of the Federal CIO Council from 1998 until 2002. 1 also had the privilege to 
head up the IT team during the reinventing government program and served on the 
Administration’s team during the crafting of the Information Technology Management 
Reform Act — the Clinger-Cohen legislation. 1 finished my government career as the 
senior IT advisor to then Governor Ridge in the White House Office of Homeland 
Security following the terrorist attacks of 9/1 1 . In all these roles, the empowerment of 
federal CIO’s was a key issue that impacted program success. 

My message today is simple: If the government is to take full advantage of the power of 
Information technology, it must make achieving world class Information Technology 
implementation a priority on the agenda of the Heads of our government agencies. 1 
believe progress to date has been good, but far short of what is needed and far short of 
what the Clinger-Cohen legislation envisioned. Many CIO’s today find themselves being 
held responsible and accountable for results, but lack the authority to impact the 
programs they are expected to implement. 

I participated in the GAO study of these issues and tried to ascertain why the government 
continues to struggle with certain aspects of Clinger-Cohen implementation. Is it all 
culture and governance, or are there other underlying issues? With this in mind, I will 
address the 5 key questions posed by the Subcommittee. 

First, what are the responsibilities of a federal CIO that are most critical to the success of 
their organization? 

The CIO must be responsible to bring best in class IT practices into government agencies. 
This implies responsibility for gaining a detailed understanding of the key critical mission 
objectives of the agency and defining how IT can help realize these objectives. If we are 
to hold CIO’s accountable for program performance, then we need to empower them to 



63 


make strategic decisions about resources. This means responsibilities for IT capital 
planning, IT investment decisions, IT budget execution and IT program and portfolio 
management. I would also suggest that an important responsibility for a CIO is to 
become “credible” in the agency and part of the senior team making strategic business 
decisions. This means becoming credible to the senior political executives, the senior 
career executives, middle management and subordinates. Only when a CIO is seen as a 
“key” player, can he or she be influential in getting results. A CIO will gain this 
credibility by understanding the business objectives of the agency and understanding how 
IT can add value in meeting these objectives. 

On the question of reporting structure, the answer is easy. A CIO that reports to the 
Agency Head immediately gains the empowerment of being on the senior leadership 
team if the CIO has a “seat at the table”. A “seat at the table” means being a part of the 
strategic decision-making, not merely a line on an organization chart. Can other 
organizational models work? Yes, but only when the CIO gains the “empowerment” to 
effectuate change and is seen as part of the senior leadership. For example, during my 
tenure as CIO at Treasury I reported on a dotted line to the Secretary for all IT matters 
but administrative reporting was through an Assistant Secretary. Yet this worked. Why? 
Because the Assistant Secretary made it clear to all subordinate bureaus that all IT budget 
and program decisions needed to be approved by the CIO. In this case it wasn’t structure 
that empowered, it was process. But I must also point out that empowerment doesn’t 
guarantee results. Empowerment provides the opportunity for results — a competent 
CIO gets the results. 

In reference to the question of time duration to be effective, I believe a CIO cannot 
achieve any meaningful results if they are in the role less than 2 years. Major IT 
programs in the government take at least 2 years to mature based on budget and 
procurement cycles. On the other hand, I also believe it is the best interests of 
government agencies to bring in fresh ideas over time. I believe it is a good practice to 
rotate CIO’s into the key CIO Council Executive Committee positions to encourage the 
development of alternative viewpoints on policy and program initiatives. I believe 
CIO’s should be rewarded for innovative and creative enterprise approaches such as 
heading up government wide initiatives. Unfortunately, I have seen cases where agency 
cultures create disincentives for individual agency CIO’s to participate and support 
enterprise solutions such as the eGov programs. This needs to be addressed if we are to 
continue to make progress in streamlining government operations and tearing down the 
traditional organizational stovepipes. 

In addressing the question of characteristics and qualifications of CIO’s, 1 would like to 
point out that the Federal CIO Council invested a great deal of time identifying many of 
the technical and business skill sets required to be a successful federal CIO. Universities 
now teach these skill sets. But rather than reiterate these well-documented qualifications, 
I would like to point out that a good CIO needs to understand technology but more 
importantly, understand how to apply technology to solve business problems. A good 
CIO will have good technical skills, find ways to stay current on technology, understand 
business processes and business skills such as financial management, and know how to 



64 


build relationships. A good CIO builds relationships with the Congress, top managers in 
the agency, the private sector, their peers in their own organization and their subordinate 
staff. I would suggest to you that a very important trait is the ability to communicate both 
orally and in writing. CIO’s will gain their credibility based on things they say and do, 
messages they write and presentations they give. 


What challenges do CIO’s face? They are numerous and dynamic from interoperability 
to information sharing to privacy act compliance. The delicate balance of privacy versus 
national security requires sound judgments in database sharing. Information security 
looms large in a world of increased threats from terrorist organizations. But in my 
opinion, the most challenging issue of a CIO is the need to use technology to challenge 
and change traditional agency cultures and the traditional institutionalized processes. The 
challenges of culture and governance far outweigh the challenge of making a technology 
decision. We have seen major programs continually plagued with cost overruns and 
time delays. We see new, powerful approaches such as Performance-Based Acquisition 
to address these systemic problems. The concept is simple, contracts that require 
contractors to share in the risk and reward and team as partners in helping agencies 
achieve its mission objectives. Yet, implementing these new concepts requires not just 
the CIO. It requires a new way of thinking by program officials, acquisition and 
procurement executives, and IT managers. In my opinion, this fundamental culture 
change has a long way to go and we continually see performance based approaches 
looking like traditional contracting approaches. It will take constant, consistent pressure 
to move the government into the world of best practice IT implementations. But it will 
happen. It has to. The customers of government, the citizens of the United States, will 
demand services from their elected officials equal to the best in class they experience in 
the private sector. If UPS or Federal Express can tell you where and when your package 
is located at any point in time during a shipment with the click of a mouse, why can’t the 
government tell you when your tax return will arrive?, how to change your mailing 
address without going agency by agency? When your street will be cleared from the 
snowfall? Citizens now expect fundamental government information in real time. 

Courage and the desire to embrace change ring as two important determinates for CIO 
success. We must do this. Our country’s security, international competition, and our 
economy demand that we find ways to bring world-class IT implementations into 
government agencies. 

I thank the Subcommittee for giving me this opportunity to make my points and I look 
forward to working with you in any way I can to help move these important issues 
forward. I will be happy to answer your questions. 



65 


Mr. Putnam. Thank you very much. 

Our third witness on this panel is Debra Stouffer. In February 
2003, Ms. Stouffer became vice president of strategic consulting 
services at DigitalNet Government Solutions, where she is respon- 
sible for developing and managing a comprehensive suite of analyt- 
ical and technical services designed to enable government and com- 
mercial business leaders to achieve improved mission performance. 
She previously served in the Federal Government as the EPA Chief 
Technology Officer, as the Federal Enterprise Architecture Pro- 
gram Manager at OMB, and as the Department of Housing and 
Urban Development’s Deputy Chief Information Office for Informa- 
tion Technology Reform. 

Welcome to the subcommittee. You are recognized. 

Ms. Stouffer. Thank you. Good afternoon, Mr. Chairman and 
members of the subcommittee. Thank you for inviting me here to 
discuss the evolving role of the Federal CIO. My experience in the 
public sector has shaped my perspectives on the topics that I will 
share with you today. 

In terms of the CIO’s responsibilities and criticality, the role of 
the Federal CIO today is broader and more complex than it ever 
has been. Further, the statutory and regulatory framework is com- 
plex as well. CIO responsibilities are derived from numerous IT-re- 
lated statutes and regulations. For example, there are over nine IT- 
related statutes that lay out the CIO’s responsibilities, and just 
since 1994 at least 12 separate memoranda and circulars issued by 
OMB related to Federal IT policy and budget procedures. 

New Federal CIOs often find it difficult to understand the Fed- 
eral requirements to which they must comply and the competencies 
they must exhibit to perform effectively. Further, CIO duties vary 
across the Federal Government, depending upon the agency’s size, 
complexity, and organizational structure. As size and complexity 
increase and structure is disaggregated, the influence the CIO has 
over business and budget decisions is likely to diminish. 

Until the past few years, Federal CIOs have been responsible for 
the more traditional information resource management concerns. 
Recently, however, as a result of the administration’s efforts to en- 
sure Federal agencies are citizen-focused and results-oriented, the 
CIO is increasingly viewed as a change agent for business mod- 
ernization and transformation. Further, they must ensure that IT 
investments are delivering intended results in terms of mission 
performance, not just finishing on time and within budget. 

In terms of reporting structure, many Federal CIOs report to the 
executive heads of the agencies. I believe, however, similar to many 
comments you have heard today, that based on their evolving role, 
that CIO effectiveness would improve with organizational reporting 
to their agency’s COO, that is, those executives responsible for the 
agency’s day-to-day business operations This would provide the 
CIO with equal footing among agency business leaders in all key 
decisions regarding agency business operations. In addition, Fed- 
eral CIOs informally report to the Administrator for Electronic 
Government at OMB; however, this reporting structure is not clear- 
ly defined in the E-Gov Act of 2002. 

In regards to their optimal time duration, it should be longer. 
Available evidence suggests that the median tenure of a Federal 



66 


CIO is about 2 years. Often, 3 to 5 years is needed to lead business 
transformation. Equally important to tenure is the ability to par- 
ticipate in executive decisions, an activity often limited to politi- 
cally appointed business leaders. Some CIOs are politically ap- 
pointed; others are not. All need to have a seat at the table on their 
senior management teams. Perhaps term appointments are an op- 
tion. 

In regards to personal traits and qualifications needed, CIOs 
must certainly have the correct technical and business and man- 
agement skills to meet their agency’s needs. Further, to lead trans- 
formation, they must be strong leaders, strong communicators, and 
have a strong business acumen. 

Challenges include the following: understanding the existing and 
complex Federal statutory and regulatory framework for informa- 
tion resources management; recruiting and retaining skilled IT pro- 
fessionals, to include project managers; fostering business and cul- 
tural change to achieve e-government transformation; maturing 
governance processes and integrating those governance processes; 
and ensuring adequate resources for cross-agency collaboration are 
identified and made available to the people that are charged with 
implementing e-gov initiatives. 

In conclusion, Federal CIOs can and should play a significant 
role in improving the management and performance of the Federal 
Government, and ensuring that our Government is more responsive 
to the needs of citizens. IT has transformed the way that we all do 
business, and none of us can predict what the future may hold. As 
the CIO role broadens and expectations increase, so do the chal- 
lenges. I am confident, however, that with the proper support from 
Congress and the administration, CIOs can be successful and effec- 
tive in their role. 

I thank the committee for the opportunity to speak this after- 
noon. 

[The prepared statement of Ms. Stouffer follows:] 



67 


STATEMENT OF 
MS. DEBRA STOUFFER 
VICE PRESIDENT 

OF STRATEGIC CONSULTING SERVICES 
DIGITALNET GOVERNMENT SOLUTIONS 
BEFORE THE 

U.S. HOUSE OF REPRESENTATIVES 
COMMITTEE ON GOVERNMENT REFORM 
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, 
INTERGOVERNMENTAL RELATIONS AND THE CENSUS 
JULY 21, 2004 

Good afternoon, Mr. Chairman and members of the subcommittee. Thank you for 
inviting me to discuss the evolving role of federal Chief Information Officers (CIOs) and the 
challenges they face within their Departments and Agencies. 

Prior to joining DigitalNet as Vice President of Strategic Consulting Services, I was 
privileged to serve as the Deputy CIO for Information Technology (IT) Reform at Housing and 
Urban Development, the Chief Technology Officer for the Environmental Protection Agency, 
and Chief Architect at the Office of Management and Budget (OMB). I also co-chaired three 
Federal CIO Council committees on architecture and infrastructure, best practices, and capital 
planning and IT investment; and served on the Executive Committee of the Council for three 
years. 


My experience in the public sector has shaped my perspectives on the following topics 
that 1 will share with you today: 

• CIO responsibilities and their criticality; 

• Organizational reporting structure and the CIO; 

• The optimal time duration for a CIO to serve an organization; 

• The personal traits and qualifications a CIO should possess, and: 

• Major challenges for the CIO. 

Critical CIO Responsibilities 

The role of the federal CIO today is broader and more complex than it has ever been. 
CIO responsibilities are derived from numerous IT-related statutes and regulations, including 
the- 

• Federal Records Act of 1950, 

• Freedom of Information Act of 1 966, 

• Privacy Act of 1974, 

• Government Performance and Results Act of 1993, 

• Paperwork Reduction Act of 1995, 

• Federal Acquisition Streamlining Act of 1994, 

• Clinger Cohen Act of 1996, 

• Federal Information Security Management Act of 2002, and 


July 16, 2004 


Page 1 



68 


• e-Govemment Act of 2002. 

On the regulatory side, since 1994, the Office of Management and Budget has issued 12 
separate memoranda and circulars related to federal IT policy and budget procedures. This 
statutory and regulatory framework is so complex, it is often the case that a new federal CIO will 
lack a basic understanding of the federal requirements with which they must comply, and the 
competencies they must exhibit to perform effectively. 

CIO responsibilities vary across the federal government, depending upon the agencies’ 
size, complexity and organizational structure. As size and complexity increase, and structure is 
disaggregated, the authority of the CIO is likely to diminish. CIOs must play a key role in the 
decisions to initiate, expedite, and cancel IT projects throughout their organizations. This is best 
accomplished through a formal, consensus-building IT governance process, and CIO leadership 
of an investment review board that also includes other senior agency business leaders, for 
example, the Chief Operating, Financial and Procurement Officers. A close partnership between 
the CIO and Chief Financial Officer will also help to ensure that accounting, financial, asset 
management and other information systems are developed and used effectively to provide 
financial and program performance data. 

Until the past few years, federal CIOs have been responsible for the more traditional 
information resource management concerns, such as security and privacy; portfolio management; 
strategic planning; information architecture, collection, and dissemination; records management; 
and systems development and acquisition. Recently, however, as a result of the Administration’s 
efforts to ensure federal agencies are citizen-focused and results-oriented, the CIO is increasingly 
viewed as a change agent for the business modernization of the agency. Such modernization is 
focused on information sharing and integrating business processes and systems across Federal, 
State, and local agencies to improve the level of services that citizens receive. As a result, it is 
no longer sufficient for an agency to develop and maintain an information architecture. Rather, 
an architecture for the entire enterprise is necessary - encompassing an agency’s business lines, 
data, business and service components, and technologies - to identify opportunities for 
intergovernmental cooperation and collaboration. Modernization is a significant challenge, and 
one that requires empowered, decisive CIOs with vision and business acumen, capable of 
effecting tranformational change. 

Finally, consistent with the Adminstration’s efforts to improve government management 
and performance, federal CIOs must ensure that public funds are spent wisely. New agency IT 
investments must be delivered on time and within budget, and deliver intended results in terms of 
mission performance. The likelihood that these objectives will be achieved is improved through 
the CIO’s close coordination with and management of business partners and suppliers. 


July 16, 2004 


Page 2 



69 


Organizational Reporting Structure and the CIO 

Many federal CIOs report to the executive heads of their agencies. 1 believe, however, 
based on their evolving role, that CIO effectiveness would improve with organizational reporting 
to their agencies’ Chief Operating Officers (COO), that is, those executives responsible for the 
agencies’ day-to-day business operations. To be successful, federal CIOs must coordinate 
closely and communicate effectively with agency business leaders, and participate on an equal 
footing in all key decisions concerning agency business operations. This will help ensure that an 
agency’s IT strategy is tightly linked to its business strategy, that IT investments improve 
business performance and contribute to mission results, and that senior business leaders 
understand and actively support the CIO’s efforts to drive business transformation. 

In addition, federal CIOs informally report to the Administrator for Electronic 
Government within OMB, a position created by the e-Govemment Act of 2002 to promote 
intergovernmental collaboration and oversee implementation of e-Govemment in areas related 
to- 

• capital planning and investment control; 

• enterprise architecture; 

• information security; 

• privacy; 

• access to, dissemination of, and preservation of Government information; and 

• accessibility of information technology for persons with disabilities. 

However, this reporting structure is not clearly defined within the Act, and should be clarified to 
ensure all CIOs are aware of their responsibilities. 

CIO Tenure 

Based on available evidence, it appears that the median tenure of a federal CIO is 
approximately two years. However, both current CIOs and former federal IT executives claim 
that three to five years is necessary to prove their effectiveness. I agree, and believe this is 
especially true for those CIOs initiating or leading business transformation within their agencies. 
Business process improvement and system development and implementation is complex, 
requires effective and consistent leadership, and extensive communication and coordination. 

This complexity increases with the number of participating agencies and partners. For example, 
the transition to the Administration’s new lines of business for financial management, grants 
management, and human resources is expected to take a number of years as common solutions 
are identified, and agency migration plans developed and implemented. OMB estimates that it 
will be Fiscal Year 2007 before all of the major line of business goals are accomplished. 

Equally important to the length of tenure is the ability of the CIO to participate in the 
agency’s executive decisions, an activity often limited to politically-appointed business leaders. 
Some federal CIOs are politically-appointed, while others are career executives. It is critical that 
all federal CIOs have a seat on their agencies’ senior management teams. 


July 16,2004 


Page 3 



70 


CIO Qualifications 

Federal CIOs must have the correct technical and management skills to meet their 
agencies’ business needs: understanding of federal IT policy and guidance, including acquisition 
policy; e-govemment, including IT portfolio management and enterprise architecture; program 
management; performance- and results-based management; security and information assurance; 
strategic planning; technology assessment; and process improvement. 

More importantly, however, to reap the full benefits of transformation efforts, the federal 
CIO should possess - 

• strong leadership and communications skills, to gain the support and trust of internal and 
external business partners, and ensure projects are carried out and completed in accordance 
with stated objectives, and 

• business acumen, to easily recognize the business needs of their agencies and work 
effectively with senior business leaders. 

Major Challenges for the CIO 

I believe that the major challenges facing federal CIOs today include - 

1 . Understanding the existing federal statutory and regulatory framework for 
information resources management. CIOs need clarification of the federal IT-related 
requirements with which they must comply, and the accountable executives within 
their organizations. For example. Congress holds the head of each agency 
responsible for complying with the requirements of the e-Govemment Act and the 
related information resource management policies established by OMB. However, 
OMB clearly holds federal CIOs responsible for carrying out these policies. 

Similarly, the Federal Information Security Management Act holds both agency 
heads and CIOs accountable for meeting the information security requirements set 
forth by the Act. 

2. Recruiting and retaining skilled IT professionals, including project managers. Rapid 
advancements in digital technologies and their widespread deployment throughout the 
economy have fueled explosive growth in the demand for professionals skilled in the 
development and use of IT. Unless a federal agency outsources its entire IT shop - 
which is neither feasible nor recommended - it must compete with the private sector 
for a limited supply of skilled professionals. Equally important is the availability of 
skilled IT project managers, to ensure that projects are delivered on time and within 
budget, and deliver intended results. 

3. Fostering business and cultural change to achieve e-Govemment transformation. 

The risks associated with broad-based transformation are well documented, and there 
is no guarantee of success. CIOs must build and maintain effective relationships with 
business partners internal and external to their organizations to help minimize these 
risks and improve the probability of success. Development of mature governance 


July 16, 2004 


Page 4 



71 


processes and the right tools are necessary both within and across Federal agencies to 
help CIOs identify and act on collaboration opportunities. 

4. Ensure adequate resources for cross-agency collaboration. The e-Govemment Act 
established the e-govemment fund to enable the federal government to expand its 
ability, through the development and implementation of innovative uses of the 
Internet or other electronic methods, to conduct activities electronically. Budgetary 
pressures and the need for fiscal discipline, however, have endangered this central 
pool of funds. A strategy must be identified to pool agency resources and ensure 
agencies have sufficient funding for common solutions to improve services to 
citizens. 

Conclusion 

Federal CIOs can and should play a significant role in improving the management and 
performance of the federal government, and in ensuring that the government is more responsive 
to the needs of its citizens. Information technology has transformed the way we all do business, 
and none of us can predict what the future may hold. As the CIO role broadens and expectations 
increase, so do the challenges. I am confident, however, that with the proper support from 
Congress and the Administration, they can be successful. 

I thank the committee for the opportunity to speak with you this afternoon and will be 
happy to answer any questions you may have. 


July 16, 2004 


Page 5 



72 


Mr. Putnam. Thank you very much. And I have been notified 
that we are expecting a series of votes around 4, so I would ask 
for your indulgence. We are going to cut the questions short for 
this panel in hopes of being able to get through the third panel be- 
fore the voting bells go off. 

This is a unique opportunity, I would assume, for former CIOs 
to be able to come back and do essentially an exit interview with 
Congress and have the opportunity to reflect on what you wish 
someone would have told you or prepared you for as you went into 
the job, so that is my first question: What would you advise some- 
one who is considering taking this job, in its current role and its 
current form, with its current responsibilities? What is it that you 
would share with them that you wished someone had shared with 
you? 

And we will begin with Mr. Brubaker. 

Mr. Brubaker. Well, I came at this with a little different back- 
ground; I wasn’t in the Federal Government, I had actually come 
off the Hill and gone into industry for a few years. So having been 
involved in what I thought I knew what the requirements were, 
having been involved in drafting legislation and the position de- 
scription, if you will. My advice would be don’t expect the agency 
to have an understanding of the roles and responsibility of the CIO 
when you walk in. Part of the job is actually to educate your man- 
agement and the people that you work with and your colleagues in 
the agency as to what your role is. The first time you start snoop- 
ing around IT investments — at least this was true when I was at 
the Defense Department — people tend to get pretty excited; they 
feel somewhat threatened. So you have to concentrate on your gov- 
ernance processes, and the culture and how you are going to over- 
come cultural obstacles, and have a proactive plan for addressing 
those issues. 

Mr. Putnam. Mr. Flyzik. 

Mr. Flyzik. Yes, Mr. Chairman, and you are right, it is kind of 
unique to have an opportunity to testify today, for the first time, 
where I didn’t need to go through a clearance process with the leg- 
islative affairs, the legal counsel, OMB, and all the other various 
chains, but be able to write and say what I have been thinking. 
But with that in mind, I would suggest to you, sir, that building 
relationships and partnerships has to be a first step. As I men- 
tioned in my testimony, I believe a CIO can only be effective if they 
are credible, and credible means building relationships within their 
own agency, the career officials, the political officials, members of 
the Hill like yourself and your staff, and OMB and those others, 
and the private sector. I think there is a very fine, delicate balance, 
too. A CIO needs to reach out, get out in the community and build 
these partnerships, but at the same time remember their respon- 
sibilities within their own agency. And I think it is a very delicate 
challenge that CIOs face to do that, but I think it is critical to gain 
that credibility, because once one gains credibility, then one has 
the power to effectuate change. 

Mr. Putnam. Ms. Stouffer. 

Ms. Stouffer. Several things are critical, in my opinion. One is 
to know the business. The CIO has to understand the business of 
the organization, understand where the performance gaps are, and 



73 


be able to apply technology to close those performance gaps or en- 
able business performance. Second, obviously, know information 
technology. You can’t offer up a solution of enabling technology if 
you don’t understand it and know how to apply it. Third, in build- 
ing relationships, you need to communicate, communicate, commu- 
nicate value, and you have to do that differently with different 
stakeholders. So it is important not to have one story, but to be 
able to communicate the value of enabling technology to different 
people in different ways so they understand it from their own 
unique perspectives. 

Mr. Putnam. I would ask all of you also if is it critical that the 
CIO report directly to the head of the agency? And I would ask you 
to be brief. Something more than yes or no. 

Mr. Brubaker. At this moment, yes. I think I covered it in my 
statement. 

Mr. Flyzik. As mentioned in my statement, I think it certainly 
helps gain that credibility I am talking about. I also suggested that 
the key issue is can the CIO be in the strategic management team 
and be empowered. If we are going to hold the CIO accountable for 
results, then they need the responsibility and the authority to con- 
trol resources, both financial and human resources, to get the job 
done. 

Ms. Stouffer. In my opinion, it could be more effective for them 
to report to the COO, and that is a different person in different or- 
ganizations. I say that because the head of an organization or the 
secretary or administrator is typically outward facing, they do a lot 
of externally-oriented work. The deputy or whoever is effectively 
the COO of the organization really runs the day-to-day business of 
that organization. Informally, if not formally, the assistant sec- 
retaries and administrators report to them anyway. 

Mr. Putnam. Is turnover a big deal? And if so, how do we fix it? 

Ms. Stouffer. 

Ms. Stouffer. I think that it is. And, I believe that term ap- 
pointments, and perhaps politically appointed term appointments, 
might be one action to consider. It might help to have term ap- 
pointments that extend more than 18 months or 2 years. Often a 
CIO has even a shorter period than that to be effective when they 
are politically appointed, because the time it takes to bring them 
into the agency. Yet, because political appointees start out with a 
great deal of credibility, they have an easier time coming to the 
table with the other senior business leaders. For this reason, per- 
haps a politically appointed term would make the most sense. 

Mr. Putnam. Mr. Flyzik. 

Mr. Flyzik. Mr. Chairman, I believe the answer to that question 
is it depends how effective the deputy and the staff below the CIO 
are, and how well that succession planning has been built. If you 
build a very strong team and effective staff, then a program should 
be able to sustain its momentum through a turnover process. If you 
can sell your program to the ultimate customer of government, that 
is, the citizen of government, then the program will live beyond an 
individual. And the question is developing key players that can run 
those programs coming up right behind that ClO. 

Mr. Brubaker. Mr. Chairman, I strongly advocate term appoint- 
ments. In my written statement I gave a little more detail on it, 



74 


but I think a term appointment of at least 6 years for a CIO would 
be smart, with a Senate confirmation for those who are statutorily 
required. You know, from personal experience, people can’t wait 
you out. I actually, during my lame duck period, if you will, while 
the administration changed and people knew I was going out, I ac- 
tually had somebody tell me that they were going to wait for the 
next guy, because I was challenging a program and something that 
they wanted to do. So I am a strong advocate of term appoint- 
ments, political, with Senate confirmation for the statutorily ap- 
pointed ones. 

Mr. Putnam. Why is it so important that a CIO have Senate con- 
firmation? 

Mr. Brubaker. Why is it important? 

Mr. Putnam. I know you would never get that question in the 
Senate. 

Mr. Brubaker. It is important for oversight purposes, to make 
sure that you take a look at — it provides an opportunity to talk 
about what that agenda is going to be. It provides an opportunity 
for the appointee and the agency to commit to certain types of over- 
sight and to ensure that appointee is going to be given the support 
on the part of the agency. It gives you an opportunity to have a 
hearing, it gives you an opportunity to talk to some of the agency 
officials to make sure that they understand what the roles and re- 
sponsibilities are, and I think it is good to vet those people through 
that process. 

Mr. Putnam. How do we hold CIOs accountable? 

Mr. Brubaker. Mr. Chairman, can I add something to that as 
well? 

Mr. Putnam. Sure. 

Mr. Brubaker. If you are conducting oversight over other PASes, 
Presidential appointment, Senate confirmed, there is a hierarchy 
that is important as well, and I don’t want to underestimate that. 
If you are giving advice on technology programs in an oversight ca- 
pacity to somebody who is a Presidential appointment that has 
been Senate confirmed, you rank up there with them, and, frankly, 
that is another real reason to have a Senate confirmation; it is a 
hierarchical, it is a pecking order issue. 

Mr. Putnam. It is an ego issue for the Senate. 

But the accountability issue I think is important. How do we 
really get down to holding CIOs responsible for $100 million 
projects that go south, that fall 3 years behind, that are abandoned 
midstream? What is the appropriate level of accountability, what 
form does it take, and is it adequate? 

Mr. Brubaker. There is an accountability issue, but there is also 
a responsibility issue, and the issue that Clinger-Cohen was a 
three-legged stool: you have responsibility that is delineated on the 
part of OMB, you have responsibility that is delineated to the agen- 
cy head, and you have responsibility that is delineated to the CIO; 
and they all have to work in concert. And there is a lot of authority 
there, but there isn’t the commensurate responsibility because the 
law, frankly, hasn’t been implemented as it was originally envi- 
sioned. You know, can you take somebody to the woodshed, if you 
will, on a program that went south? Yes, you can do it, you can 
beat them up, but if they didn’t have absolute responsibility, au- 



75 


thority, and budget control over that program, then it is pretty dif- 
ficult to make a fair case that they were responsible for the pro- 
gram going south. There is too much diffused responsibility and not 
enough — you know, we used to refer to it as who is the single belly 
button. Who is the single person that I can point to who has abso- 
lute accountability, authority, responsibility for a program? And, 
frankly, it is almost by design in the bureaucracy that responsibil- 
ity is diffused among a lot of different people, because a lot of dif- 
ferent people want to play in that role. 

And what Clinger-Cohen tried to do was delineate those respon- 
sibilities and be clear about who was responsible for what, and, 
frankly, we are not to that point yet; you have too many people 
with their hands in that cookie jar, and then when the cookie is 
gone, you can’t figure out who took it. 

Mr. Putnam. Mr. Flyzik. 

Mr. Flyzik. Yes, sir. The accountability issue, as I mentioned be- 
fore, I am a big advocate of performance-based approaches, and I 
think one can define performance metrics, as well as with contrac- 
tors. However, if we are going to hold the CIOs responsible and ac- 
countable, they need to have the authority to control those re- 
sources. I would suggest that when a project is approved, particu- 
larly in a performance-based environment, that CIO be given the 
authority and the budget to put that program in place, and be held 
accountable, and have the authority to control the resources nec- 
essary to get that job done. And if more resources are needed, the 
authority to work with the CFO and agency head to come back up 
to the appropriations process and be completely in charge of the 
program. I feel in a lot of cases were are holding CIOs accountable 
because you have to hang someone when things don’t work. But, 
yet, if you look behind the scenes, did that CIO really have the 
ability to control the financial resources and the human resources 
in that agency? 

I will give you an example. We talked today about the Ds re- 
ceived in information system security. I believe a lot of CIOs in 
Government know what it takes to address those deficiencies in in- 
formation system security, yet they lack the dollars and the re- 
sources and the staff to do it, and the authority to get that re- 
sources and staff. So I think we need a model that, as when 
projects are approved, dollars are set aside, but those dollars are 
controlled by the CIO, and then we can hold them accountable. 

Mr. Putnam. Ms. Stouffer. 

Ms. Stouffer. I think there would be value in reworking the en- 
tire statutory framework and providing more clarity regarding 
roles and responsibilities and accountability. Clearly, the CIO 
needs to have influence on the budget process, particularly as it re- 
lates to information technology investments. So clearly understand- 
ing that they have a place at the table in that process is important. 
It would be helpful if OMB worked to develop strategy that is con- 
sistent across the board on how we pull funds when we do cross- 
agency initiatives. This strategy would address consistent criteria 
for how agencies are assessed for their share of an initiative mak- 
ing it easier for the CIOs when they are actually trying to imple- 
ment e-gov initiatives and scramble for dollars at the same time. 



76 


So I think, again, one value would be to rework the entire statu- 
tory framework and the guidance that is coming out of OMB, pro- 
vide some clarity, perhaps consolidate some of it in such a way that 
it is easier to understand and point to; and I think that would be 
useful. 

Mr. Putnam. You have also served as a CTO. 

Ms. Stouffer. Yes. 

Mr. Putnam. Some agencies have them, some agencies do not. 
Please, if you will, share our impressions of the value of having a 
CTO as well as a CIO, and whether that is something that should 
be adopted by every agency. 

Ms. Stouffer. I believe that having a position entitled CTO is 
valuable. I think that even where you have organizations that don’t 
have a position entitled CTO, you often have people fulfilling that 
role entitled something else. Typically they are more focused on the 
technology issues and less focused on the information issues and 
the business issues associated with performance gaps and 
leveraging technology to fill those gaps. So they are very focused 
on technology. I think CTOs are everywhere, they just have dif- 
ferent titles at different agencies. 

Mr. Putnam. And finally, because we are going to need to seat 
the third panel — I hate to cut this short, but we will be submitting 
questions and answers for the record — as we have all of these hear- 
ings, typically agency culture, personnel and training are greater 
issues than technology itself in terms of being an impediment to 
progress and to change. Has the role of the CIO been fully accepted 
and worked into the management structure of the agencies as you 
have seen it? Ms. Stouffer. 

Ms. Stouffer. I believe that CIOs are becoming more and more 
effective. Obviously, as technology advances and as CIOs mature 
and their role in the organization is better understood, they are 
having more and more of an impact. Technology has now actually 
become disruptive in some cases because it is driving certain busi- 
ness decisions in areas where it can actually accomplish business 
needs. Having the knowledge of emerging technologies, and how 
they can further desired business outcomes is important. The CIO’s 
contribution in making major business and technology decisions is 
increasingly recognized. So they are making progress. 

Mr. Putnam. Mr. Flyzik. 

Mr. Flyzik. Mr. Chairman, I believe the results are mixed all 
over the Government. I believe in some Government agencies you 
see CIOs making strategic decisions in part of every strategic proc- 
ess that takes place; I think in others we have a long way to go. 
I think in some agencies under secretaries, assistant secretaries 
view the CIO as someone that gets in the way and I need to find 
my way around that particular individual in order to get my pro- 
grams done. All in all, though, I think we are moving in the right 
direction and I think hearings like these are a good way to keep 
the momentum on the move in that direction. I think culture 
change, sir, takes a long time. I know my life at Treasury, I believe 
it took, in my opinion, probably 10 years before we actually got into 
a true enterprise environment from the days it was first talked 
about to where everybody actually bought into a concept of an en- 
terprise approach to very large programs. I think culture is going 



77 


to take time, but I think we are moving in the right direction and 
I think we have to keep the pressure on and keep momentum mov- 
ing in the right direction, and I applaud this subcommittee for 
being a catalyst in doing that. 

Mr. Putnam. Mr. Brubaker. 

Mr. Brubaker. Yes, I think the prior two speakers are right. It 
depends on the agency. Yes, in some cases; no in many others. But 
from my view, my experience in government, things seem to just 
be moving too slowly, and that is why I was particularly pleased 
to see the advocacy of the chief operating officer position in the 
GAO report. Maybe advocacy is too strong of a word, but they men- 
tioned it, and I have seen it in the press and in some pronounce- 
ments out of GAO, where they seem to be advocating for a chief 
operating officer position that would be a term appointment with 
a contract that would lead that management team of the CIO and 
the CFO to really transform agencies. I think that is critical. I 
think you are still dealing with that industrial age bureaucracy, if 
you will, and we are expecting information age results out of it, 
and it just doesn’t work. 

Mr. Putnam. Thank you all very much. I again apologize for cut- 
ting this short, but we are interested in hearing from all three pan- 
els before the meeting is broken up by votes. 

So at this time the subcommittee will recess to set up the third 
panel. Thank you all very much. 

[Recess.] 

Mr. Putnam. The third panel, I appreciate your patience and 
your willingness to come before the subcommittee. Please rise and 
raise your right hands for the administration of the oath. 

[Witnesses sworn.] 

Mr. Putnam. Note for the record that all the witnesses re- 
sponded in the affirmative. 

Our first witness for this panel is Kim Nelson. Ms. Nelson is the 
Assistant Administrator for Environmental Information and Chief 
Information Officer at the EPA. Before joining EPA, Ms. Nelson 
served the Commonwealth of Pennsylvania for 22 years. Notably, 
she was the first executive to hold the position of chief information 
officer in Pennsylvania’s Department of Environmental Protection. 

Thank you for joining the subcommittee again. Your testimony is 
always very helpful. You are recognized for 5 minutes. 

STATEMENTS OF KIMBERLY NELSON, ASSISTANT ADMINIS- 
TRATOR OF ENVIRONMENTAL INFORMATION AND CHIEF IN- 
FORMATION OFFICER, ENVIRONMENTAL PROTECTION 
AGENCY; STEVEN COOPER, CHIEF INFORMATION OFFICER, 
DEPARTMENT OF HOMELAND SECURITY; VANCE HITCH, 
DEPUTY ASSISTANT ATTORNEY GENERAL, INFORMATION 
RESOURCES MANAGEMENT AND CHIEF INFORMATION OFFI- 
CER, U.S. DEPARTMENT OF JUSTICE; AND IRA HOBBS, DEP- 
UTY ASSISTANT SECRETARY FOR INFORMATION SYSTEMS 
AND CHIEF INFORMATION OFFICER, DEPARTMENT OF THE 
TREASURY 

Ms. Nelson. Thank you, Mr. Chairman. I appreciate the oppor- 
tunity to return today and talk about some of the issues that are 
on your agenda today, particularly the role of the CIO. You have 



78 


asked some important questions, and while I have answered those 
in my written testimony, I will just briefly touch on some of those 
as part of the oral testimony here today. 

First and foremost, I want to emphasize the fact that the chief 
information officer title has the word information in it, and that is 
important. What is also important is that the word technology is 
not there. And what I want to emphasize is the fact that it is the 
information component which I think is most important to the role 
that we play in our organizations. And while technology is impor- 
tant and we tend to talk a lot about IT and technology, the fact 
is that technology is only an enabler, and what you are looking for 
in a CIO is somebody who can really work with people and organi- 
zations to achieve results; and that takes a lot of work to work in 
concert with people and processes to make a difference in your or- 
ganization. 

You have asked some questions about the responsibilities that 
are most critical for a Federal CIO. I was looking at this chart be- 
fore the hearing began, and looked at all the responsibilities that 
were listed there. In my own testimony, I focused on those that are 
listed at the top as some of the most important ones, and I think 
that is supported by the chart. I would say, however, that the posi- 
tion I hold at EPA in fact includes all of those responsibilities in 
whole or in part, including the one at the bottom, statistical work. 
For instance, this last year my office, in conjunction with our Office 
of Research and Development, issued the first ever Report on the 
Environment. And again that is significant because it is the first 
time we were ever able to report to the American public what we 
know about the condition of the environment, and that is a way to 
use information to be able to demonstrate real results. Again, the 
focus being on how we use information. 

Reporting structure has been a topic today. I do think it is an 
important topic. I believe I am fortunate to have, frankly, one of 
the best positions in the entire Federal Government when it comes 
to the roles and responsibilities of a CIO. At EPA I report to the 
administrator through the deputy administrator. I have a position 
that is equal to the peers in my organization that manage the busi- 
ness units, the air office, the water office, the emergency response 
and waste office. So I sit at the table at the same level and with 
the same political appointment and confirmation by the Senate as 
the other people who are setting policy within the organization. I 
think that is important because if you look, frankly, at some of the 
most recent Gartner research, what it shows is that it is important 
to have that ability to sit at the table and have access to an under- 
standing of the business of the organization. And, frankly, if I 
weren’t at that same level, I would not be able to interact with 
those that are making business and policy decisions within the or- 
ganization. 

When we talk about the duration, I, of course, am new to the 
Federal Government. I guess when you had your previous panel 
here, I am the first one speaking who actually came in as someone 
new to the Federal Government to have taken the CIO position. I 
had 22 years in State government; I actually held a very similar 
position in my agency shortly before I left there. I came into this 
position fully expecting to stay at least 3 years, and in September 



79 


will mark 3 years from the date I arrived and November will be 
3 years from the date I was confirmed. And I expect it will take 
at least that amount of time to achieve some of the things I wanted 
to do when I came on board; and I cited a number of reasons why 
I think 3 years is important in my testimony that I submitted. 

Finally, some of the characteristics that are important to the 
CIO; you have already heard about vision, leadership, communica- 
tion. They are all important. The bottom line is you have to be able 
to deliver results. 

And, last, the one point I want to make about the biggest chal- 
lenge. The single biggest challenge, in my mind today, is the CIO’s 
responsibility to manage enterprise-wide projects. We talked about 
some of those at a hearing earlier. The governance issues surround- 
ing managing projects across agency are considerable, and we are 
treading new water here. We are breaking new ground, and it is 
critical we establish those processes for managing these govern- 
mentwide projects. 

So I will stop there and I will take questions later when you are 
ready. Thank you. 

[The prepared statement of Ms. Nelson follows:] 



80 


Testimony of Kimberly T. Nelson 

Assistant Administrator for Environmental Information and 
Chief Information Officer 
U.S. Environmental Protection Agency 

before the 

Subcommittee on Technology, Information Policy, Intergovernmental Relations and 

the Census 

U.S. House of Representative 
July 2 1,2004 


Good afternoon. Thank you for the opportunity to testify on the evolving role of 
the federal Chief Information Officer. This testimony reflects my role as the Chief 
Information Officer (CIO) at the U.S. Environmental Protection Agency (EPA). I 
appreciate having this opportunity to appear before this subcommittee today to discuss 
this important issue. 

The role of the federal CIO has evolved significantly over the last several years. 
Today, information management and technology continue to be increasingly important 
where the need for timely information is critical. The main goal of the federal CIO is to 
improve services to citizens to operate the federal government in a more efficient manner 
and to help the federal government achieve results. Thoughtful investment in 
information technology (IT) infrastructure and information technology has the potential 
to significantly improve government’s effectiveness and efficiency. Technology alone, 
however, cannot achieve a better government and to achieve the goals the President’s 
Management Agenda. Technology serves as a critical enabler, but it must work in 
concert with people, processes, and information to achieve real results. 



81 


Responsibilities most Critical to the Federal CIO: 

As the federal CIO at EPA, my work to improve the quality and availability of 
information is critical to the functions of the Agency. Accurate, timely, and usable 
information is the foundation for decisions and actions taken by Agency officials, states, 
tribes, and others responsible for protecting human health and the environment. 

Effective information management and technology support plays a key role in the ability 
of the Agency to achieve its mission and attain its strategic goals. 

I believe the responsibilities most critical to the success of EPA include enterprise 
architecture planning, capital planning and investment control (CPIC), and information 
security. The responsibilities of the CIO is to move the enterprise toward enterprise 
thinking by developing: an enterprise architecture, a portfolio approach to managing and 
securing IT investments, and a capacity to direct resources to implement and operate 
enterprise solutions. Without this foundation, an agency is not able to efficiently 
interoperate with other federal, state, local, and tribal entities in a coordinated approach 
to provide service to the public. 

An enterprise architecture\qerves as a tool for the agency leader to readily 
visualize how and where to best apply resources-people, technology, and money-to attain 
the organization’s strategic goals, Once the agency’s business is captured in the 
enterprise architecture, an appropriate IT Portfolio can be established that truly supports 
the Agency’s mission. Once the appropriate portfolio is determined, the capital planning 
and investment control (CPIC) practice ensures that IT projects are properly managed. 



82 


An enterprise architecture allows the agency to secure its valuable and critical 

assets, and assists the agency to establish priorities for the protection of national assets. 

A CIO must be able to direct limited security resources to protect the most critical assets. 

Most Useful Reporting Structure to Achieve Responsibilities 

At EPA, the CIO reports directly to the Administrator, through the Deputy 
Administrator, ensuring high visibility and support for information management issues. 
In addition, the CIO is a peer to EPA national program managers and the Chief Financial 
Officer. This reporting structure is critical in providing the CIO with the appropriate 
authority to fulfill information and information technology management needs. 

As the EPA CIO, I lead an organization responsible for a full range of 
information technology, information management, and information policy duties. In 
addition to serving as the CIO, I also serve as the Assistant Administrator for 
Environmental Information, the Chair of the EPA Quality and Information Council, and 
the EPA Agency Senior Management Official for Quality. In my role as CIO, my 
primary responsibilities includes supporting all aspects of the Agency’s national 
information systems including the infrastructure, architecture, applications development, 
hardware, capital investment and security measures. In addition, program offices across 
the Agency have IT and information management (IM) officials who work with EPA’s 
Office of Environmental Information to ensure policies are implemented on an Agency- 
wide basis. 


Minimum Duration of Federal CIO Tenure 



83 


The minimum tenure i'ora federal CIO is driven by many variables including lire 
individual’s knowledge base, the placement of the individual within the organization, and 
the degree to which the organization must respond to changing interna! and external 
requirements. Clearly, the length of time a person chooses to stay in a position is a 
deeply personal decision. In my case, I have made the decision that three years is the 
minimum needed to effectuate the changes I envisioned for EPA. Three years is needed 
to experience a full budget cycle - from request to execution. Three years is often needed 
to see a project from concept to reality. And three years is about the time needed to not 
only introduce transformational thinking, but also to institutionalize the changes within 
the organization. 

Characteristics and Qualifications of Successful Federal CIO 

A successful CIO should possess certain skills and attributes. Most important 
among these, the federal CIO must be both a visionary and a leader. The capacity to lead 
people and effectuate change is paramount in the evolving federal IT environment. Now, 
more than ever, the federal CIO must possess the ability to manage collaborative 
processes that lead to consensus. This consensus is best realized through open, balanced, 
and inclusive approaches where stakeholders work together to develop solutions. This 
ability to build consensus both inside the organization and the broader government 
community will continue to be one of the most important skills the federal CIO must 
possess in order to be effective. 

The federal CIO must also have a strategic perspective of information and 
information technology, perceive information as a vital resource, and have the ability to 



84 


align solutions to meet the agency's mission. The federal CIO must have the business 
acumen to run a disciplined operation to meet increasingly more difficult performance 
goals and accountability objectives required by this position, again in a way to ensure the 
agency’s mission is achieved. 

Major Challenges Facing the Federal CIO 

Although the federal CIO encounters a vast number of challenges, the two most 
significant challenges include maintaining a high quality IT workforce and managing 
enterprise-wide projects. 

In my opinion, enterprise architecture, capital planning and investment control, 
and information security are the federal CIO’s three most important responsibilities in 
striving to achieve the President’s Management Agenda. As the federal government 
migrates toward interoperable enterprise architecture through collaboration with state, 
local, tribal partners, and other stakeholders, the success of the E-Govemment initiative 
will be dependent on each Agency’s ability to contribute. The federal CIO must possess 
sufficient resources to invest in the workforce in order to embed these skills within 
her/his organization. According to a recent report from the National Academy of Public 
Administration (NAPA), the marketplace for IT talent will remain competitive for the 
next 20 years making this task more difficult. The NAPA study also reported that the 
retirement of a significant number of IT leaders and staff will occur over the next five to 
ten years and it will be necessary to add up to 45,000 new IT employees to the federal 
workforce over this time period. 



85 


Another major challenge to the federal CIO is tire IT governance relating to 
enterprise-wide solutions. As an example, EPA currently serves as the lead Agency for 
the E-Rulemaking initiative. Through collaboration and a commitment to the benefits 
inherent in E-Govemment, the E-Rulemaking initiative has made significant strides 
toward creating a more efficient, integrated, publicly accessible approach to the 
regulatory process. The goal of the initiative is to help overcome barriers to public 
participation in the federal regulatory process by improving the public’s ability to find, 
view, and comment on regulatory actions, as they are developed. 

Despite our progress, we continue to face a number of critical challenges to the 
implementation of this enterprise solution. These challenges do not stem only from 
technology, but also relate to organizational change, communication and coordination, 
and funding. 

EPA and its partner agencies have developed and continue to develop 
information technology solutions for E-Rulemaking that could impact and ultimately 
benefit over 150 federal departments and agencies, many of which have well established 
regulatory processes in place. Approximately 25 departments and agencies have existing 
technology systems in place (ranging from accepting public comments via email and 
posting materials on simple HTML Web sites to sophisticated document management 
systems). Resistance to change within an agency can be significant. Implementing new 
technology within the agency and across government is challenging and often requires 
institutional and organizational changes. 

Addressing and adjusting to organizational change requires constant coordination 
and communication among agencies at many levels (from CIOs, General Counsels, and 



86 


Deputy Secretaries, to technical stall, attorneys, budget personnel, and rulcwriters). We 
have established a permanent organization in my office to facilitate this process as well 
as to develop and deploy the centralized Federal Docket Management System required 
under the E-Govemment Act. In addition, I established a number of inter-agency groups 
to guide and govern this process-starting with an E-Rulemaking Executive Committee, 
which I co-chair, an Advisory Board comprised of senior Agency managers that meets 
monthly, and various workgroups (e.g., legal/policy, budget, Regulations.gov, FDMS 
development). This constant need to coordinate takes a significant amount of time and 
effort on my part and that of my staff. 

The other challenge we face is funding from a two-fold perspective. The success 
of the E-Rulemaking initiative, like other E-Govemment initiatives, is dependent on 
contributions from participating federal departments and agencies. Participating agencies 
developed a cost allocation approach that covers start-up and development work, and we 
will move toward a user-fee approach for on-going operations and maintenance. 
Currently, this requires separate agreements and memorandums with each of the 
approximately 40 paying agencies. The process can take several months before the final 
agreements are signed and the money transferred. We are working cooperatively to 
overcome this funding challenge. 

The two most significant challenges the federal CIO faces include maintaining a 
high quality IT workforce and managing enterprise-wide projects. These challenges will 
only be accomplished through strong leadership by the federal CIOs. 


Conclusion 



87 


In closing, it is apparent that the role oh the federal CIO has evolved s'ignilicamly 
in the past several years. Advances in information management and information 
technology can help federal departments and agencies improve the delivery of service. 
Creating the federal CIO in federal departments and agencies was a critical first step. 

To be truly effective, the federal CIO must have a seat at the agency's leadership 
table. They must work toward enterprise solutions within their agency and across the 
federal government through the federal CIO Council. The federal CIO requires the 
ability to hire and retrain the needed skilled workforce, particularly in information 
security and enterprise architecture and solutions. The challenge of meeting higher 
performance standards and managing more complex projects, which often extend beyond 
traditional agency boundaries, reinforces the Clinger-Cohen requirement for high level 
CIOs. 

Thank you for the opportunity to testify on the evolving role of the federal Chief 
Information Officer. I would be happy to answer any questions you may have. 



88 


Mr. Putnam. Thank you. 

Our next witness is Steven Cooper. Mr. Cooper was appointed by 
President Bush to be the first CIO of the Department of Homeland 
Security. He and his team have responsibility for the information 
technology assets supporting 190 Federal employees of the 22 agen- 
cies now comprising the new department. Before joining Federal 
Government service, Mr. Cooper spent more than 20 years in the 
private sector as an information technology professional. 

Welcome to the subcommittee. You are recognized, sir, for 5 min- 
utes. 

Mr. Cooper. Thank you, Mr. Chairman. It is indeed my pleasure 
to appear before you today and share a few views based upon near- 
ly 30 years as an information technology professional, including the 
past 2 V 2 in the Federal sector. I have served as the CIO of the De- 
partment of Homeland Security since its inception, and it has been 
a fairly significant learning curve for me coming into the Federal 
environment. There is, as you have heard from previous panelists, 
a significant amount of legislation and statutory requirements 
which, in a very short period of time, is fairly substantial to absorb. 
Therefore, I would argue that one of the primary responsibilities of 
any CIO is to ensure the optimal and appropriate use of informa- 
tion and to understand the legislative and statutory requirements 
that enable an agency to succeed and a CIO to be successful. 

A CIO must also act as an agent of change by guiding organiza- 
tional and transformational and business process re-engineering to 
most effectively meet the strategic and operational objectives of the 
agency. I would argue that the CIO is one of the very few individ- 
uals whose view of the agency is always horizontal. Every day we 
see not a vertical view of any particular business unit or organiza- 
tional segment, but we are the people who are held accountable for 
understanding how all those moving parts and pieces that use in- 
formation technology fit together. It is in that context that I do 
think that the placement of the CIO in the organization does be- 
come important. 

What is most important has been stated by my colleagues here 
on this panel and the previous panelists, and that is the seat at 
the business table is what is critical. The placement in the organi- 
zation, simply put, the higher the level, the more that the place- 
ment kind of ensures the seat at the table. It doesn’t automatically 
imply that a CIO cannot succeed if they do not report directly to 
the secretary. It makes it significantly more difficult the more lev- 
els that the individual is kind of down from the head of the agency, 
and you have to offset that by the time it takes to then build the 
credibility and gain the seat at the business table. 

With regard to roles and responsibilities, primarily the CIO is re- 
sponsible for leading the use and application of all IT assets de- 
ployed across the department, and that includes both the human 
resources and the financial resources. That is what actually en- 
sures the ability to use information effectively within the depart- 
ment. This is achieved, in my opinion, by guiding the department’s 
development and use of enterprise architecture best practices, and 
they include obtaining senior management employee buy-in and in- 
volvement, demonstrating how IT can enable mission effectiveness 
and efficiency; guiding the proper choice of technology to meet mis- 



89 


sion goals; documenting and using portfolio management tech- 
niques that allow rapid decisionmaking regarding IT investment 
choices in very difficult times and also in a resource-constrained 
environment. 

As far as characteristics and qualifications that CIOs should pos- 
sess, good business skills, business mission operation sense of what 
is going on in the agency, that is the credibility; good management 
skills, ability to lead change, working knowledge of IT gained from 
hands-on or practical experience, great communication skills, and 
most importantly, in my opinion, a sense of humor and a pretty 
tough skin. Guts are in there somewhere. We have to be able to 
place mission first and career second. We are held accountable for 
basically everything in the IT environment. And I will leave to my 
colleagues and previous panelists, and perhaps the question and 
answer period, how best to actually accomplish accountability, re- 
sponsibility, and the blend thereof. I happen to think that a whole 
lot of it has to do with metrics and performance measures. 

In closing, I would simply like to say that the opportunity is 
unique at the moment inside the Department of Homeland Security 
simply because we are still in a startup mode, and a lot of what 
I face as a CIO in the Department of Homeland Security, I am en- 
vious of other CIOs who have a bit more stability and maturity to 
their organizations. So some of what my experience has been may 
not be reflective or may not be typical of what some of the other 
more mature departments and other Federal CIOs may face. 

I look forward to your questions. 

[The prepared statement of Mr. Cooper follows:] 



90 


Statement by 
Steven I. Cooper 
Chief Information Officer 
U.S. Department of Homeland Security 

Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations 

and the Census 
U.S. House of Representatives 
July 21,2004 


Mr. Chairman and Members of the Subcommittee: 

Good afternoon. I am Steve Cooper, Chief Information Officer of the Department of Homeland 
Security. It is my pleasure to appear before you today to provide my opinion and insights into 
the role and responsibilities of a Federal Chief Information Officer and the various challenges 
associated with this position. My views are based upon nearly thirty years as an Information 
Technology professional, including the past 2 Vi in the federal environment. My experience 
includes CIO roles in the private sector with Fortune 200 corporations, and senior technical and 
management roles in information technology consulting to federal, state, local and commercial 
organizations. 

I have served as the CIO of the Department of Homeland Security since its inception. It has 
been both my pleasure and my privilege to join the ranks of the Federal CIO community. The 
passage of the Clinger-Cohen Act in 1996 was a bold statement signifying that Information 
Technology, and the management of this resource, was to be a top priority across the federal 
government. The creation of the Chief Information Officer position within each department 
clearly established a leader for the Information Technology function and provided a single focal 
point for leadership within a federal agency. This measure has been integral in driving an 
enterprise view of IT investment and capital planning and in promoting more efficient and 
effective management of IT. 

I’d like to offer my thoughts in areas of interest posed by the committee. 

We are titled Chief Information Officers, not Chief Information Technology Officers. I believe 
strongly that the primary responsibility of any CIO is to ensure the optimal and appropriate 
use of information by a department. Understanding business processes and information 
requirements is a critical success factor that allows the CIO to serve as the key information 
advisor to senior executives. This understanding, coupled with knowledge of how information 
technologies may be applied to achieve desired business objectives, place the CIO at the table 
when policy decisions where IT can make or break a desired objective are being made. 

The CIO must also act as a change agent by guiding organizational transformation and business 
process reengineering to most effectively meet the strategic and operational objectives of the 


1 



91 


agency. The CIO is one of the few individuals whose view of their agency is always horizontal - 
the ability to see opportunities for integration, consolidation, and rationalization is imperative for 
achieving more with less in our resource constrained environment. Of course, continually 
pushing for change that crosses organizational boundaries usually makes the CIO a target of 
those who resist change and prefer to protect the status quo, so thick skin helps considerably! 

Leading the use and application of IT assets deployed across the department, including human 
and financial resources, is what ensures the ability to use information effectively. This is 
achieved by effectively guiding the department’s development and use of Enterprise 
Architecture best practices: obtaining senior management and employee buy-in and 
involvement; demonstrating how IT can enable mission effectiveness and efficiency; guiding the 
proper choice of technology to meet mission goals; and documenting and using portfolio 
management techniques to allow rapid decision making regarding IT investment choices in 
turbulent (i.e,, terrorist threatening) times. 

I don’t believe there is one answer to the question “how long must a CIO serve to be effective?” 
The learning curve of a CIO is dependent upon a number of factors, such as the maturity of the 
organization and the current business environment. In organizations that are more mature and 
operating in a relatively stable environment, the CIO can likely come up to speed in a year. 
However, for organizations that are still in the formidable stages of development, the CIO may 
need to be in place for a longer period of time, in order to understand the business strategy, 
establish the vision for the IT function, provide direction for IT investments, lead change, and 
deliver results. 

There are several characteristics and qualifications that CIOs should possess. First, a CIO should 
have good business skills, a business/mission operations sense. Effective CIOs must serve the 
leadership of a Department; we must understand and be able to communicate in business, not 
technical, language. We have to be able to translate technospeak into business driven 
communication. Second, we should have good management skills to lead an IT organization, to 
hire, motivate and develop staff, and to operate within a budget. Third, we must be able to lead 
change. We have to understand what motivates people and what matters to them on an 
organizational and personal level. Fourth, we have a working knowledge of IT gained from 
experience, but do not need to be expert in all TT areas. We need to be able to evaluate the 
technical competency of key staff and understand recommendations from internal and external 
technical advisors. Fifth, we must have great communication skills, both listening and 
speaking. They must be marketers and evangelists to promote their products and services. Sixth, 
they need a sense of humor. This job is filled with ups and downs. We’ve got to be able to 
laugh at ourselves and at the inefficiencies and sources of high frustration that come with the 
role. Finally, we need Guts. We must be able to place mission first and career second. 

A Departmental CIO is held accountable for the entire scope of IT - from IT strategic and capital 
planning, IT human capital, enterprise architecture, e-govemment, to information security, 
including specific statutory responsibility for leading the internal cyber security efforts of the 
department. These functions touch all areas of the enterprise. The CIO strategically plans for 
enterprise-wide IT resources and is a critical leader on the organization's management team. It 


2 



92 


is therefore crucial that the CIO be invested with the authority to manage these various aspects of 
IT. 

Organizational placement of the CIO has a direct impact upon that individual’s ability to effect 
the changes necessary to drive the IT function toward success. The CIO must be able to 
strategically plan for enterprise-wide IT resources and be a critical leader on the organization’s 
management team. This reduces the likelihood that each element within the department will 
view their IT needs separately, as unique entities, leading to stove-piped IT solutions. 

There are additional challenges that all CIOs across the federal government face: lack of direct 
control of IT spending; balancing the speed for technology refresh with the federal budget cycle; 
lack of resources - people, funding, time; lack of representation at the business/decision-making 
tables; communicating IT visions and investment decisions in a manner that is understood by 
senior management; and maintaining an effective security posture in the face of a constantly 
changing environment. 

While the Clinger-Cohen Act clearly places responsibility for coordination of IT investment 
decisions with the CIO, there are difficulties in executing this objective if the CIO does not have 
direct control over IT spending and the IT budgets within a department. Although departmental 
CIOs have been working for several years to truly align investments strategically and with a 
view toward what is best for the enterprise, there are still numerous IT projects, and the 
associated budget dollars, that are hidden inside “programs.” The challenge is to bring together 
the CIO and Chief Financial Officer communities to work together to eliminate the “burying” of 
funding, and instead recognize the importance of focusing on IT as a global resource for a 
department. Hence the structure of DHS forces this interaction on a daily basis. 

As mentioned earlier in my statement, it is key that a CIO have good business skills and a 
business/mission operations sense. These skills are crucial in meeting the challenges associated 
with communicating with senior management and business leaders. The CIO must 
communicate, and where necessary educate, the business community on the IT vision and 
investment decisions. 

As technology is changing rapidly, more effective planning for “refreshing" hardware and 
software must occur. Payoff will come through increased mission performance and lower 
operating costs. Special incentives to retain, and in some instances to retrain, talented IT 
professionals; recruiting tools such as bonuses and moving expenses; would allow the CIO to 
reshape his/her organization rapidly to meet the changing government challenges. 

The Federal Information Security Management Act (FISMA) was enacted to further hold 
leadership accountable for all aspects of information security, and I strongly believe this is the 
right approach. We should acknowledge that IT security is a huge challenge with a doubling of 
cyber attacks each year, this has been a fact of life for the past 5 or so years. There are significant 
difficulties associated with maintaining an effective security posture in large organizations, and 
FISMA correctly places responsibility for information security squarely on the shoulders of each 
agency head. This fact, coupled with the additional authorities placed on the CIO, further 


3 



93 


strengthens the effectiveness of an enterprise program by ensuring that each organization 
approaches security from a top-down, corporate perspective. 

I thank you again for the opportunity to appear before the committee this afternoon, and I look 
forward to answering your questions. 


4 



94 


Mr. Putnam. Thank you very much. 

Our next witness is Mr. Vance Hitch. Mr. Hitch serves as the 
Chief Information Office of the Department of Justice. He manages 
the Department’s $1.7 billion IT program, overseeing management 
acquisition and integration of the Department’s information re- 
sources. His oversight includes strategic planning, policy, capital 
planning, systems development, telecommunications, information 
security, data management, enterprise architecture, e-government, 
and user computing. Before coming to the Department of Justice, 
Mr. Hitch was a senior partner with Accensure. He has 28 years 
of experience in leading government organizations successfully 
through major change initiatives. 

Welcome to the subcommittee, sir. You are recognized. 

Mr. Hitch. Thank you, Mr. Chairman. I am pleased to be here 
to talk about my job and how it fits at the Department of Justice 
and the Federal community. 

As you have stated, I come from the outside, 27 years of outside 
experience managing large IT projects and major change programs, 
both in a variety of industries as well as government. I have been 
the CIO of the Department of Justice for 2 years this past April, 
so I already am senior to the average CIO, which is hard to believe. 

You asked a number of questions, responsibilities critical to my 
success. I believe my principal responsibility as a CIO is to create 
and lead an organization that will enable our mission accomplish- 
ment through technology. That is first and foremost my responsibil- 
ity. And there is a lot of management responsibilities that go along 
with, but I view my job as mission accomplishment. 

At the Department of Justice I came upon a very decentralized 
organization, and, therefore, my job in accomplishing that mission 
was to more strongly coordinate from a central perspective the IT 
organization, and that has required major change. That was par- 
ticularly important in the Department of Justice, since I came on 
board after September 11 and a new mission had been created at 
the Department of Justice, and that was counterterrorism. So we 
really had to do things differently than we had done before, which 
was a burning platform for me; and I used that in terms of creating 
the organization that I needed to carry out what I view as my mis- 
sion. 

Some of the key responsibilities that I have are those that are 
listed there on the chart by the GAO: obviously, enterprise archi- 
tecture, IT investment management, security, IT human capital 
planning, and program oversight. And I think all of those are im- 
portant, but I do think having a major impact on the IT budget is 
absolutely critical. Having the ability to start and stop projects, if 
necessary, is important. So I think those things are echoing what 
I have heard some of the other panelists say. 

One of the things that I did that is unique at the Department 
of Justice that I used as a platform to help create some of the 
change in carrying out my responsibilities was a program that we 
are now pursuing called the Law Enforcement Information Sharing 
Program. And initiated this program about a year ago as a way of 
bringing together our various law enforcement components who, as 
I said, grew up with strong cultures of their own and as a decen- 
tralized organization, to get them to better share information effec- 



95 


tively. And that is particularly important in our counterterrorism 
as well as our law enforcement missions. 

The way I did that was by creating subgroups to deal with any 
policy changes we needed, any changes in our concept of oper- 
ations, as well as technology; and out of that technology subgroup 
came what I call our strategic IT architecture for information shar- 
ing at the Department of Justice. We now have that as kind of the 
bible of what we are trying to do to achieve information sharing, 
and what I am doing is mapping all of the forty-some odd programs 
that we have and IT initiatives that we have that many of them 
came before I became CIO at the Department of Justice; they had 
their origins as stovepipe systems. I am sure you have heard that 
term. So it was my job to somehow fit them together. 

This IT information sharing architecture is what lets me do that, 
and I map into that architecture and then it basically allows me 
to identify the changes necessary in each IT program to achieve our 
overall information sharing goals. So that is one of the ways I have 
used enterprise architecture as a tool to help me achieve my mis- 
sion. 

You wanted some comments, and you got lots of them from ev- 
erybody, about the most important aspect of the reporting struc- 
ture, and what is the most effective way that we can report. I will 
comment on what we have at the Department of Justice, which I 
think works very well. I will say that it was new with me coming 
on board, it did not exist prior to my coming on board as the CIO 
in April of 2 years ago. 

The reporting relationships that I have are I do report directly 
to the Attorney General on matters of IT policy and IT strategy, 
and I report to the Assistant Attorney General for administration 
on operational matters. I think reporting to the top of the organiza- 
tion is extremely important because I must be viewed at the same 
table and I must be viewed as a peer of the component heads, and 
those are the heads of the FBI, the heads of the Drug Enforcement 
Agency, the U.S. Marshals, all those major agencies within the De- 
partment of Justice. I must be viewed as somebody who can be 
their helper in making things happen at their agency and across 
the department in IT. And that is the only way that I will be able 
to achieve my mission of making IT a strategic enabler of our mis- 
sion accomplishment, which is law enforcement and 
counterterrorism across the whole department. 

As part of my reporting responsibilities, I sit on the Strategic Ad- 
visory Council, which is chaired by the deputy attorney general, 
and that includes all the members of the largest components of the 
organization and deal with all strategic matters. Obviously, I sit on 
it as a representative of the IT interest of the whole department. 
I also sit on a council called the National Security Coordinating 
Council within the Department of Justice. It is composed of the 
component heads, once again, of the law enforcement agencies, and 
that enables me to get close to their business to make sure that 
I have my finger on the pulse of what is our mission and what we 
are trying to achieve from a law enforcement standpoint. So I think 
those are critical reporting relationships. 

Commenting on the duration, the term that is necessary. Basi- 
cally, I believe 3 to 4 years is what is necessary to have a lasting 



96 


impact. Actually, I do believe that I was effective almost imme- 
diately, and that is through having an impact on individual pro- 
grams that were already underway. But given the fact that it takes 
at least 2 years to have an impact on the budget itself, because of 
the budgeting cycle in the Federal Government, to get those pro- 
grams initiated and to make them real, it is going to take at least 
3 to 4 years to have them implemented. 

Concerning the characteristics, I think you have heard a lot. 

Mr. Putnam. We will get to this in questions, but I do want to 
get to the testimony before we have votes, and your time has ex- 
pired. So if you could just summarize for us, please, and then I will 
go to Mr. Hobbs. 

Mr. Hitch. OK. 

I don’t think I have anything new to add in terms of characteris- 
tics of a CIO, except I do want to add one, which is persistence. 
You know, basically working in the Federal Government is a big 
bureaucracy; it takes a long time to accomplish things. I think you 
have to keep at it, go the extra mile, do whatever it takes to earn 
respect and confidence of the colleagues. 

Major challenges, I think my biggest one is culture change, be- 
cause I said initially that we are going from a decentralized organi- 
zation to one which is much more strongly centrally coordinated. 
The concept of a CIO was not there when I arrived, so making that 
culture change to become an effective CIO in that kind of organiza- 
tion is the biggest challenge that I face. 

[The prepared statement of Mr. Hitch follows:] 



97 



Department nf justice 


STATEMENT 

OF 

VANCE E. HITCH 
CHIEF INFORMATION OFFICER 
JUSTICE MANAGEMENT DIVISION 

BEFORE THE 

SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, 
INTERGOVERNMENTAL RELATIONS AND THE CENSUS 

COMMITTEE ON GOVERNMENT REFORM 

UNITED STATES HOUSE OF REPRESENTATIVES 

CONCERNING 

FEDERAL GOVERNMENT MANAGEMENT OF INFORMATION TECHNOLOGY 

PRESENTED ON 


JULY 21, 2004 




98 


Testimony of Vance E. Hitch 
Chief Information Officer 
Department of Justice 
Before the 

House Committee on Government Reform 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations, and the Census 
July 21, 2004 


Chairman Putnam, Ranking Member Clay, and distinguished Members of 
the Subcommittee, it is a pleasure to appear before you today to discuss 
the responsibilities and challenges that I face as Chief Information Officer 
(CIO) at the Department of Justice. 

The mission of the Department is broad and formidable ranging from 
preventing terrorism and promoting the nation’s security to ensuring the 
fair and efficient operation of the federal justice system. As CIO, I lead 
the Department in the use of technology and expanded information 
sharing toward these goals. 

This afternoon I would like to provide you my perspective on the role of the 
CIO in leading a large federal agency, managing the delivery of IT 
services, and facilitating changes that may be needed for more effective 
and efficient service delivery. Specifically, I will address the following 
important questions. 

What responsibilities of a federal CIO are most critical to the success 
of their organization? 


At the most basic level, a CIO must create a well-functioning information 
technology (IT) organization that is effective in delivering centralized IT 
products and services and in providing departmental guidance to 
component IT programs. But perhaps even more important, especially in 
a decentralized organization, is a CIO's responsibility to lead their 
organization toward a common vision of how IT can and will support 
mission accomplishment. 

Strategic planning is an important responsibility that enables a CIO to 
develop the IT vision and communicate the strategic initiatives that will be 
put in place to realize that vision. It informs budget decisions. Most 
importantly, it provides a framework for communicating the key projects for 
realizing the CIO’s vision and programs. 

At the Department of Justice, my job has been to unite a previously 
decentralized IT management approach and create a CIO organization 


I 




99 


designed to support the post 9/1 1 counterterrorism mission of the 
Department without any loss of IT support to other departmental 
programs. Law enforcement information sharing has proven an effective 
catalyst to pull together related programs across the Department. 

I view CIO responsibilities for implementing enterprise architecture, 
investment management, information management, and human capital 
planning processes as core IT program tools to accomplish a needed 
transformation in IT culture and capabilities. Applying these processes to 
law enforcement information sharing has crystallized broadly applicable 
issues of how we work together across the department - and where we 
must make changes and improve. 


What is the most useful reporting structure for a CIO within the 
agency to achieve these responsibilities? 

I report directly to the Attorney General on strategic IT issues and to the 
Assistant Attorney General for Administration on operational management 
issues. This arrangement works well at the Department of Justice. 

This reporting relationship affords me the authority to make certain 
departmental IT decisions on behalf of the Attorney General. In addition, 
this organizational positioning allows me to be most effective in providing 
departmental oversight to component programs. At the same time, I have 
an organizational relationship with the DOJ Controller through my 
reporting relationship to the Assistant Attorney General for Administration. 

I believe that the CIO must have a reporting relationship to the head of the 
agency to be effective in carrying out the broad range of legislative 
responsibilities. Technology is a mission “enabler”. Without senior-level 
organizational placement, there can be no guarantee that an open and 
active IT perspective is brought to important departmental program and 
budget decisions. 


Is there a specific duration of time that a CIO must remain in their 
position to be effective? 

I came to the role of CIO at the Department of Justice approximately two 
years ago from outside the federal service. Based on my experience, I 
believe that it takes three to four years for a CIO to implement IT initiatives 
that have a lasting impact on agency programs. 

First, an effective CIO must establish and maintain a network of 
relationships internally, with externa! organizations, and with governmental 


2 



100 


oversight bodies to carry out the broad scope of CIO legislative 
responsibilities effectively. For a new CIO, it can take a year, or more, to 
establish such a network of resources. 

It then takes an additional year for a new CIO to complete a full planning 
and budget cycle and reflect their strategic vision in the IT capital plan that 
goes forward for funding. In other words, a new CIO must be in the 
position at least two years to have an impact on the allocation of budget 
resources to IT plans and requirements. 

It is not until year three or four that the CIO begins to see the benefits of 
the strategic IT initiatives that have been developed, funded, and 
implemented across the organization. At this point, the culture changes 
and new IT capabilities in the CIO organization and across the 
Department should be in place to sustain the IT initiatives for lasting 
impact. 


What characteristics and qualifications should a CIO possess? 

Many diverse skills are necessary to do the job of CIO. There is, however, 
no single educational background, experience, or training that uniquely 
prepares someone to do this difficult job well. The size and complexity of 
a particular agency’s IT program will usually determine the specific 
characteristics and qualifications that are likely to lead to a successful 
tenure as CIO. 

However, there are certain core attributes that all successful CIO’s share. 
The first is an understanding of the missions and business processes of 
the agency. Without this insight, it will be difficult to plan and build 
systems that are responsive to program needs. And, of course, the CIO 
must have a solid understanding of projects, systems, and technologies. 
Agency leadership and staff look to the CIO to provide IT oversight and 
guidance while the Office of Management and Budget, the General 
Accountability Office, and Congress hold the CIO accountable for results. 

Another core attribute of successful CIOs is strong planning and 
management skills to assure that the IT program is implemented as 
planned with appropriate human capital resources. Leadership and team 
building are important for CIOs who often depend on limited resources in a 
large IT organization. Additionally, the CIO must have strong 
communication skills to reach out to people of various backgrounds across 
an agency and persuade them to support the IT vision with participation in 
specific projects. Finally, the CIO must be persistent - changing culture 
and organizations is a multi-year process. 


3 



101 


What are the major challenges that CIOs face? 

CIOs face many difficult challenges. I believe that culture change, 
changing the way people operate, is the hardest challenge facing CIOs in 
the federal government today. Closing the ongoing gap between agency 
culture and the rapid rate of technological change requires CIO 
commitment and endurance. Yet, no agency can afford to delay such 
changes as programs increasingly depend on IT for mission 
accomplishment. 

Technology has an important role providing a technical infrastructure that 
supplies desktops, networks, databases, application systems, wireless 
devices, and more. The challenge that faces CIO’s today is to shift the 
orientation away from IT as solely a “back office” function to IT as an 
mission critical organization. 

CIOs must create a strong, capable organization with the right leadership 
and management team in place to effectively carry out the diverse range 
of responsibilities given to the CIO. From a recruiting perspective, such 
people are sought after, and they are a scarce resource. One of the 
hardest challenges is recruiting and developing IT project managers. No 
CIO can succeed without trained and experienced project managers to 
carry out the IT vision. 

The last, but not least important, challenge that I will address is the CIO’s 
difficult and ongoing job of assuring the security of the Department's 
information. IT security has always been important at the Department of 
Justice. But today, as we continue to open our systems in support of 
information sharing and e-government initiatives, CIO’s must 
collaboratively address cybersecurity issues, as well as ensure that 
security keeps pace with the needs and expectations of the programs we ' 
support. 

Mr. Chairman, that completes my prepared remarks. I would be happy to 
attempt to answer any questions that you may have at this time. 


4 



102 


Mr. Putnam. Thank you very much. 

Our next witness is Mr. Hobbs. Mr. Ira Hobbs is the Treasury 
Department’s Chief Information Officer. Mr. Hobbs came to Treas- 
ury from the U.S. Department of Agriculture, where he has served 
as the Deputy Chief Information Officer for the past 7 years. He 
has an extensive background in Federal policy development and in- 
formation technology and program management, including a 22- 
year career at USDA. 

Welcome to the subcommittee, sir. You are recognized for 5 min- 
utes. 

Mr. Hobbs. Thank you. Mr. Chairman and members of the sub- 
committee, thank you for inviting me here today to discuss the 
roles and responsibilities of Federal chief information officers. With 
the current Clinger-Cohen Act as our guide, I have been one of 
many Federal executives working to improve our Government’s 
management of our information and IT resources. While we still 
have many miles to go, I am proud of what, as a community, we 
have achieved, and I hope my perspective will add some value to 
our discussion this afternoon. Having already heard from so many 
experienced executives, I will keep my opening comments brief. 

I am honored to be here today representing the U.S. Department 
of the Treasury as its chief information officer. Prior to joining 
Treasury, I did serve as the Deputy Chief Information Officer of 
the Department of Agriculture, where I worked for 7 years under 
three different political CIOs. 

To be a successful Federal chief information officer, one must 
practice executive leadership, and have strong management and 
communication skills. Fundamentally, I believe these qualities are 
more important than having a strong technical background. The 
major challenges we face are not technical challenges; addressing 
and overcoming them requires seasoned and skilled leadership. 
Meeting these challenges also require support from the secretary’s 
office, time to learn organizational business and culture, and to es- 
tablish the relationships necessary to effectively implement change; 
prioritizing amongst the many competing responsibilities of a CIO; 
and, most importantly, directing and motivating employees and 
contractors who are the people every CIO relies on to get the job 
done and results achieved. 

In my experiences, some of the issues raised, such as the time 
required for CIOs to achieve transformation, are mitigated by hav- 
ing a strong deputy CIO. In addition to providing for continuity 
and complimenting the skills of a CIO, a good deputy CIO can 
shorten the learning curve of a new CIO and free the CIO to focus 
on high-priority outward-facing initiatives while the deputy CIO 
serves as the chief operating official internally, making sure that 
all of the trains are kept running and that they are kept running 
on time. This was the model during my tenure as deputy CIO at 
the Department of Agriculture, and I like to believe that it was a 
successful one. 

A large part of the progress we have made in recent years is due 
to the statutory framework laid out by Congress in the Clinger- 
Cohen Act and related legislation, the aggressive implementation of 
these laws by the Office of Management and Budget, and the con- 
tinuing, maturing role of the Federal CIO. 



103 


Thank you for the opportunity to be present today to present my 
thoughts, and I look forward to any questions that I might be able 
to answer. 

[The prepared statement of Mr. Hobbs follows:] 



DEPARTMENT OF THE TREASURY 
OFFICE OF PUBLIC AFFAIRS 


Embargoed for Delivery Contact: Brookly McLaughlin 

July 21, 2004 (202)622-1996 


STATEMENT OF 
IRA L. HOBBS 

CHIEF INFORMATION OFFICER 
U.S. DEPARTMENT OF THE TREASURY 
BEFORE THE 

SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, 
INTERGOVERNMENTAL RELATIONS AND THE CENSUS 
COMMITTEE ON GOVERNMENT REFORM 
U.S. HOUSE OF REPRESENTATIVES 

July 21, 2004 

Mr. Chairman and Members of the Subcommittee, thank you for inviting me here today to 
discuss the role and responsibilities of Federal Chief Information Officers. With the Clinger- 
Cohen Act (P.L. 104-106) for our guide, 1 have been one of many Federal executives working to 
improve our government’s management of our information and IT resources. While we have 
many more miles to go, I am proud of what we as a community have achieved and I hope my 
perspective will add value to our discussion this afternoon. With your permission, I will submit 
my written testimony for the record. 

My Personal Background 

As background to my comments today, I would like to share with you a brief history of my IT 
and general management experiences. Today, I appear before you honored to serve as the Chief 
Information Officer (CIO) of the U.S. Department of the Treasury. I began working in this 
position on June 7 of this year. Prior to joining the Treasury Department, I served as the first 
Deputy CIO of the U.S. Department of Agriculture (USDA), starting in June of 1 997. In my 
seven years in this position at USDA, I worked for and with three politically appointed CIOs. In 
between these appointments, I also served as the Acting CIO for a total duration of 


105 


approximately one and half years. At the bureau or agency level, my IT management experience 
includes five years as Director of the Information Systems and Communications Division of 
USDA's Animal and Plant Health Inspection Service. In addition to these IT experiences, I 
served as the Director of the USDA Office of Operations with overall responsibility for 
management of the four building headquarters complex and the departmental procurement 
program, and worked in human resources management early on in my career. 

In addition to these day jobs, for the past four years, I have been a member of the Federal CIO 
Council Executive Committee and Co-chair of the Council’s Human Capital and IT Committee, 
which continues working to improve the recruitment, retention, and skills of the Federal 
government’s IT workforce. 

Executive Leadership 

The Government Accountability Office (GAO) report that is being released today very clearly 
lays out the basic questions on the responsibilities, reporting relationship, tenure and challenges 
of Federal CIOs. It also documents the commonly held beliefs of most current and former 
Federal CIOs on these issues. In short, managing information and IT in government is not rocket 
science but it is challenging and complex. 

To be a successful Federal CIO, one must practice executive leadership, which by definition 
includes strong management and communication skills. Fundamentally, I believe these qualities 
are more important than whether a CIO should be a political appointee or career civil servant, or 
whether an effective CIO must have a strong technical background. In general, I value common 
sense over technical expertise. The major challenges identified by GAO (i.e. implementing 
effective IT management, obtaining sufficient and relevant resources, communication and 
collaboration, and managing change) are not technical challenges; addressing and overcoming 
them requires seasoned and skilled leadership. 

Responsibilities 

I concur with almost all of the responsibilities the Clinger-Cohen Act (CCA) assigns to Federal 
CIOs. Given the significant investment dollars and program impact of Federal IT systems, 
information and IT management must be the single main responsibility of Federal CIOs. 
Unfortunately, in my experience, there is never enough time or capacity to simultaneously focus 
on all the CCA responsibilities equally. Meeting the challenge of implementing effective 
information and IT management means a CIO - like all executives - must prioritize amongst 
competing responsibilities. Adding non-IT related demands to a CIO’s position description 
further dilutes the time and effort they can spend on the many pressing IT initiatives. 

Reporting Relationship 

In order to achieve the worthy goals of the CCA, it is critical that a Federal CIO report directly to 
their Secretary or his/her proxy. First, successful business process modernization efforts require 
considerable institutional changes. Complete support from the top is needed to drive major 
change initiatives. Second, in my experience, effective information and IT management requires 



106 


working on an equal footing with the business process owners. CIOs must hold their business 
leaders - as the owners of the systems that support their programs - accountable for success 
throughout a system’s lifecycle. 1 can think of no examples of a successful IT program where 
the CIO does not have a strong reporting relationship to the department or agency/bureau head. 

Tenure 

The GAO reports that current and former CIOs commonly cited three to five years as the time 
needed to be effective. In my view, three years is the absolute minimum term required to be a 
very effective CIO. 

One Model for Managing the Challenges Faced by Federal CIOs 

Like all Federal executives, CIOs face a host of competing challenges from managing an aging 
workforce, to meeting unfunded program mandates, to managing change. In their interviews, 
GAO identified one mechanism to ensure continued attention to ongoing objectives when there 
is a hiatus between one CIO and the next, a strong Deputy CIO. In addition to providing for 
continuity and complementing the skills of a CIO, a good Deputy CIO can shorten the learning 
curve for a new CIO. A skilled Deputy CIO can also free the CIO to focus on high priority 
outward facing initiatives while the Deputy CIO serves as the chief operating officer, making 
sure all the trains are running. This was the model during my term as Deputy CIO at the 
Department of Agriculture; I believe it was a successful one. 

Conclusion 

Today, we continue to improve the management of the Federal Government’s information and 
information technology. We have more visibility into where our IT dollars are being spent than 
in the past due to established IT Capital Planning and Investment Control processes and a 
renewed focus on project management. While we are facing an increasing number of cyber 
security threats, we are also devoting significantly more resources to protecting our information 
and IT assets. A large part of our progress is due to the statutory framework laid out by 
Congress in the CCA and related legislation, the aggressive implementation of these laws by the 
Office of Management and Budget, and the maturing role of the Federal CIO. 


- 30 - 



107 


Mr. Putnam. Thank you very much. We appreciate all of your 
testimony and I am particularly pleased that we are were able to 
get through it without the votes interrupting us. 

For all of you, how do your offices interact with the other high- 
ranking officers in the agency, like the CFO, when making capital 
planning decisions? And we will begin with Ms. Nelson. 

Ms. Nelson. The partnership we have with the CFO is probably 
the most important partnership in the agency. We have set up a 
process since I have been at EPA as part of our investment and 
planning process where the deputy CIO and the deputy CFO over- 
see a committee made up of others throughout the agency that re- 
view our portfolio, and it is through that committee that is chaired 
by the two offices that the portfolio is approved and then ultimately 
comes to me for final approval. I work with the CFO to ensure that 
everything that is in that portfolio is accounted for in our budget. 
So no longer are we doing what we used to do, which is put busi- 
ness cases forward when funding didn’t exist in the budget for 
those business cases. 

Mr. Cooper. In the Department of Homeland Security, under the 
under secretary for management, all of the CXOs, the chief admin- 
istrative officer, the chief human capital officer, the chief procure- 
ment officer, the chief financial officer, chief information, we meet 
twice a week and basically are in lockstep on almost everything re- 
lated to management, particularly the financial budget process, 
capital planning and investment. I would argue that within the de- 
partment we have a very strong and every effective relationship 
with the other chiefs, and we will continue to mature those proc- 
esses. It is also reflected in our investment review process, which 
we have introduced into the department. 

Mr. Putnam. Mr. Hitch. 

Mr. Hitch. At the Department of Justice , I report from an oper- 
ational standpoint to the assistant attorney general for administra- 
tion, to whom the controller reports. So I interact on a regular 
basis with the controller and the CFO. From a more form stand- 
point, I chair the IT investment management process and I invite 
as members both the controller and the assistant attorney general 
for administration to review all our IT projects in some level of de- 
tail as they are coming along. Also, in the budget process, which 
we go through, it seems like, all the time, but we are going through 
right now for the 2006 budget year, I am involved in all of the 
budget deliberations about all of the IT budget items, both in the 
initial cuts as well as the final cut. 

Mr. Putnam. Mr. Hobbs. 

Mr. Hobbs. Being new to the Department of the Treasury, our 
relationship is evolving; however, to start out, we have both a chief 
financial officer and a budget officer. I have been involved in all of 
the 2006 budget preparations in terms of hearings by the deputy 
secretary with all of the major bureaus and asked to comment and 
provide feedback on proposals in that regard. The CFO and I have 
a relationship that we are starting to evolve as we look at our cap- 
ital investments and our ongoing investments, and so I believe that 
we are on a firm footing to establish a very strategic and tactical 
relationship in terms of our reviewing the information technology 
budgets and performance of IT investments for the department. 



108 


Mr. Putnam. Mr. Hobbs, you are relatively new to the Treasury, 
you said your relationship is still evolving, but tell us, if you would, 
were there major differences in process, procedures, and approach, 
the fusion of the CIO into management between the two Federal 
departments that you have now worked for? 

Mr. Hobbs. I think it is fair to say that they are different. At 
the Department of Agriculture the process was a lot more mature. 
The Department of Treasury has gone through a fairly large reor- 
ganization that has pulled a lot of that maturity out of its organiza- 
tions. It is now being reformulated, but I think they are on a very 
positive path. We have some growing to do, we have some matur- 
ing to do, but the deputy secretary has established a process where 
we all have an equal seat at the table from a management perspec- 
tive, and he expects us to work together for a common good in 
terms of how we deliver goods and services back to the citizens. 
That involves a very active engagement and role by the CIO in the 
budget and funding process of IT investments across the depart- 
ment. 

Mr. Putnam. Mr. Cooper, Mr. Hitch, let me ask you a twist on 
the same question. Both of you have extensive private sector expe- 
rience, senior partner at Accensure. How dramatic a difference did 
you find between your work at the private sector for years and your 
career in the Federal world? Mr. Hitch first. 

Mr. Hitch. Well, it was pretty dramatic. I did have a taste of 
what it might be like because during my career I worked with the 
Federal Government on many major projects, as well as State and 
local governments, so I knew kind of what I was getting into, but 
you never really know for sure until you are there. And then going 
through the budget process is where you really learn how to oper- 
ate in the Federal Government, I think, effectively. So it was a 
very big change, but I do think my background prepared me very 
well for the challenges that I face, because we are dealing with 
very large projects, we are dealing with culture change and major 
change programs, and as I said in my statement, having a business 
perspective is extremely important, because we are really manag- 
ing a portfolio. And then I think also the process orientation that 
I bring, understanding the business processes, where you start. 
You don’t start with the technology. I think really having that as 
a strong background really helps me be effective in my organiza- 
tion, because that is why I said my main job, I believe, is enabling 
the mission of the organization through technology. 

Mr. Putnam. Mr. Cooper. 

Mr. Cooper. Yes. Having served as a CIO in the private sector, 
it is, in my opinion, dramatically different. In the private sector the 
CIO was a member of the executive committee; there were basi- 
cally about five or six people across the company, and those people 
effectively sat at the same table, heard all the same business deci- 
sions, participated in strategy vision development for the corpora- 
tion. That is a little different than what I have experienced thus 
far in the Department of Homeland Security. Not a value judg- 
ment, just different. 

One of the things that was able to be done in the private sector, 
if business drivers or external events drove a change in the busi- 
ness plan of the corporation, the ability of basically the CIO to im- 



109 


mediately reprioritize or reprogram or change the investment of as- 
sets or the direction of programs or something was in fact instanta- 
neous. That is, again, a little bit different in the Federal sector; 
there are more people involved, it is a little bit lengthier process, 
honestly a little bit more convoluted for me in the learning curve 
type of situation. 

The other thing that plays out is that there was a more effective 
process to prioritize in the private sector across different business 
units. The way I would exemplify that, in the Department of Home- 
land Security I can tell you the top 10 of each of our under sec- 
retaries anchor their major programs. Where I have a little bit 
more difficulty is determining which of all of those top 10 are in 
fact the department’s top 10. Now, part of that is maturity, so this 
is not criticism. We are learning, we are shaping, we are putting 
processes and we are becoming more effective with each month 
that goes by. But that is a significant difference. Those three exam- 
ples that I give you are significantly different than what I had ex- 
perienced in the private sector. 

Mr. Putnam. Ms. Nelson, difference between State and Federal? 

Ms. Nelson. You know, I had the good fortune of having an al- 
most identical position in an environmental agency in State govern- 
ment, so the transition here probably wasn’t nearly as startling as 
it was for somebody simply coming in from the private sector. The 
roles, responsibilities, and reporting relationship were almost iden- 
tical. What is different, and I tell everybody, are things like this. 
We didn’t have anybody in the general assembly who really cared 
and held hearings. We didn’t have anybody in our legislative and 
budget and finance committee, which is comparable to GAO, who 
cared and audited or wrote reports. We didn’t have an inspector 
general who provided the kind of oversight that we often get here. 
And, in fact, we didn’t have anything like a Clinger-Cohen Act. 
What we did, while it is almost identical to the roles and respon- 
sibilities I have now, we simply did because it was good govern- 
ment, and, consequently, we often did it without a lot of oversight 
like this. 

Mr. Putnam. You have heard the second panel of former CIOs, 
and like all good former Federal employees, they have an awful lot 
of bolder statements to make than perhaps they would have made 
had they still been on the payroll. What do you glean from what 
they have shared with this subcommittee, what lessons learned can 
you apply, particularly with respect to the questions that we have 
asked both panels, the turnover, the reporting to the top adminis- 
trator? Most of you have touched on this, but if you would address 
it more fully, just if you would reflect on what they have said with 
regard to those and other matters that they raised. 

Mr. Hobbs, we will begin with you. 

Mr. Hobbs. And here I was waiting for you to come the other 
way. 

Mr. Putnam. Well, I like to keep people off guard. 

Mr. Hobbs. First with respect to the issue on turnover. I think 
that succession planning is an integral part of any manager’s re- 
sponsibility, for one never knows the moment, the hour, the day 
when a person will leave. I believe very strongly in the dual role 
of the CIO and the deputy CIO. My own experiences have dem- 



110 


onstrated over 7 years I served under three different CIOs, yet our 
organization continued, I thought, to move forward and to function. 

I am not sure that going to term appointments means any more 
than going to politically appointed positions means any more than 
going to career appointed positions. I think it is inherently the re- 
sponsibility of each manager to prepare for the organization in 
terms of when you are not there, not so much for while you are 
there. So I think succession planning is the key and I think that 
it is one of the missing elements that we have in the Federal Gov- 
ernment in terms of how we prepared our organizations for transi- 
tions and transformations. 

I believe it is also very critical, when we talk about trans- 
formation, I hear people talking 3, 4, and 5 years. I believe the 
transformations come in succession. And what I mean by that is, 
as one of my colleagues here said today, it takes 2Vo. years to effect 
a budget process. That is one form if transformation. It takes 2 or 
3 years to impact people and culture. That is another form of trans- 
formation. The important thing is to establish an approach and a 
plan about how you are going to do it and then build in the succes- 
sion planning models that allow your organization to function in 
your absence. I believe that is key and critical for us who are in 
government leading large organizations. 

Mr. Putnam. Mr. Hitch. 

Mr. Hitch. I do think turnover is an issue. I do think that turn- 
over is an issue for CIOs everywhere, not just in the Federal Gov- 
ernment. But I do think it is even more of an issue in the Federal 
Government. I think that it does take a while to have a lasting im- 
pact. I think you need to be effective early on and you can be effec- 
tive on a lot of issues early on, but to have a lasting impact, to 
really change the culture, to really change the programs, to really 
bring in the people that are needed, at least in an organization 
that needs a lot of help when you first get there, is going to take 
a while to do. So I think turnover is an issue. I think the 3 to 4 
year timeframe is realistic and perhaps even optimistic and aggres- 
sive, in terms of really getting something done, but I feel that is 
a good benchmark. It somewhat depends on the maturity and the 
depth of the organization you came in to run, if you are taking 
over. I came into an organization that didn’t have a real CIO and 
didn’t perform many of the Clinger-Cohen functions, so I had to 
create an organization, fill those positions. So I think that turnover 
is an issue depending on the stability and maturity of the CIO or- 
ganization within the agency you are talking about. 

Mr. Putnam. Mr. Cooper. 

Mr. Cooper. I too would agree that I think turnover is an issue 
and it is important to be addressed. I would actually concur with 
what Mr. Hobbs said. I think the key points that he raised, deputy 
succession planning, are fundamental and critical success factors in 
addressing that. 

But I would offer one additional observation that I actually 
haven’t heard mentioned in any of our three panels today. One of 
the things that I have observed in a relatively short period of time, 
so I have no data beyond about 2, years, the lure of the private 
sector for skilled and seasoned chief information officers out of the 
Federal Government is very, very significant. One of the things 



Ill 


that obviously plays a role in that is kind of the overall ability of 
the Federal environment to compensate and incent and reward not 
just chief information officers, but key career individuals across the 
Federal Government. I would suggest that perhaps over time that 
might be something that could be explored through surveys or ap- 
propriate bodies to explore how much does compensation and in- 
centives play a role in decisions to leave the Federal Government 
from a CIO position. 

Ms. Nelson. In preparation for today’s hearing, I actually 
brushed up on some long overdue reading and research, and while 
most of it confirmed my own suspicions, there was one thing that 
I found very surprising, and it was a Gartner survey of CEOs 
across the country. In response to a question about transformation, 
they cited two things that most often get in the way of trans- 
formation. The first was culture, and we have talked about that on 
several occasions. The second, interestingly enough, was IT, both 
technology and their technology organizations, their IT organiza- 
tions. They cited them as often being slow, cumbersome, risk ad- 
verse, and getting in the way of the changes they want to make. 

That being the case, and in combination with another survey 
that was done of what are the characteristics most exhibited by 
successful government CIOs, one of those characteristics was the 
fact that the CEO of the organization selected the CIO. And I think 
those two go hand in hand to paint the picture that I agree with. 
I believe a CIO can best serve the organization if they are political, 
because that means they are sitting with the most senior leader- 
ship in the organization. In most agencies, the senior leadership is 
political; the cabinet head, the deputy secretary. So in order to be 
able to sit at the table to truly understand the business, the strat- 
egy, and the policies of the organization, I do think you need a po- 
litical CIO. 

I agree with Ira that you are going to have turnover. I don’t 
think the turnover of political CIOs is all that much different than 
the turnover of political appointees in general. So we just need to 
accept the fact that you are going to have turnover, just like the 
Army accepts the fact that you can bring people in for a couple of 
years and train them and put them back out when there is a draft. 
Accept the fact and have a strong deputy CIO, have a strong tran- 
sition planning process, and I think those two things combined can 
oftentimes achieve the greatest results, because the CIO is close to 
the CEO, or in government case, a deputy secretary or agency 
head, understands the demands, understands they have a short 
time period, and they will push for change. 

Mr. Putnam. Mr. Cooper, you raised the issue of compensation, 
which is a fair one to raise. I had been raising the issue of account- 
ability on the negative side. Compensation is certainly an appro- 
priate thing to bring up on the positive side, on the encouragement, 
incentivizing side. It does raise a number of interesting questions. 
For example, in Department of Homeland Security, your depart- 
ment’s budget is what? 

Mr. Cooper. For IT or overall? Overall it is about $40 billion. 

Mr. Putnam. And for IT? 

Mr. Cooper. About 10 percent, about 4.2 of that. 



112 


Mr. Putnam. So slightly larger than most of the private sector 
companies 

Mr. Cooper. That is correct. 

Mr. Putnam [continuing]. That are attracting a lot of our talent 
and paying them substantially more. I hate to ask you to solve the 
question that you raised, but recognizing that it is a legitimate 
issue, how do we arrange a schedule that is commensurate with 
running the Department of Defense, running the Department of 
Homeland Security or running the Department of Justice or Treas- 
ury? Of course, I think Mr. Hobbs just goes out to the printer in 
the back room and pulls a few sheets of or something like that to 
take care of the Christmas bonus. But if you don’t work in that de- 
partment, how do we compensate people and compete with the pri- 
vate sector, knowing what people would be worth in the private 
sector for far less responsibility than what you carry? 

Mr. Cooper. Mr. Chairman, would you allow me to think on this 
for a week and get back to you? 

Mr. Putnam. I would. 

Mr. Cooper. I don’t have a good answer. I am not trying to duck 
the question at all; it is one that we really have talked about a fair 
amount in the department. We simply just don’t have a real effec- 
tive answer yet. There is perhaps a model that might serve. I 
know, for example, that in the Department of Veterans Affairs phy- 
sicians actually are on slightly different pay scales; they are able 
to pay higher than just what I think of as the GS pay scale. I also 
know that in our own department there are some incentives around 
our scientists for, specifically, the reason that we have to compete 
with the universities and the research institutes across the United 
States. Those might serve as models for key technical personnel in 
the Federal Government. But if you allow me to give it a little bit 
more thought, I would like to comment. 

Mr. Putnam. Sure. And there is an entire commission working 
on it. I think this is what somebody gave Paul Volcker the job of 
going and solving this problem. It is a legitimate issue, but there 
are no easy answers considering the system of government that we 
have. 

Mr. Hitch, what brought you into public service? What brought 
you into the public sector, coming from where you were? 

Mr. Hitch. Yes, I kind of went in the reverse direction from what 
we find in many of the CIOs who spend a long time career in the 
Government and then went outside. Frankly, I came to the Depart- 
ment of Justice to make something happen that I would hope 
would help the national security of the country. And I think that 
goal is something that is real, the desire to do public service, just 
like people in Congress or anything else; you are here to do public 
service. It is especially hard on CIOs because there is such a huge 
disparate pay scale, and the draw of the counterparts in the pri- 
vate sector funds that work for us who make multiples. So I think 
a different pay schedule, something like Steve was talking about, 
may be helpful. 

I do think we do need to solve better, I think, the problem of just 
accountability and responsibilities, because I hear it in a lot of pri- 
vate discussions among CIOs, and I also have experience in some 
of the components within Justice who brought people in from the 



113 


outside, very, very accomplished CIOs who were on the outside, 
who came in basically because of changes in culture and not able 
to adapt quickly enough to the culture, an inability to make some- 
thing happen in a realtime basis, which is different in the Federal 
Government from the private sector. You can make things happen 
faster in the private sector, that is why I made the comment about 
persistence. 

So I think the reporting relationships are important, because 
that is what enables you to make something happen in more of a 
reasonable time. It is going to take longer in the government than 
it does in the private sector, but if you aren’t positioned properly 
in the organization and don’t have enough credibility and are 
viewed as a peer by the people that you need to influence strongly 
in order to be effective, it is a disincentive, so that is a reason a 
lot of people leave. 

Mr. Putnam. I would like to give our panelists an opportunity for 
closing comments as we wind this down. Give us the answer to the 
question you wish you had been asked or final thoughts, whatever 
you choose, beginning with Ms. Nelson. And, Mr. Hobbs, you are 
going to get the last word for us. So, Ms. Nelson, you are recog- 
nized. 

Ms. Nelson. The day is late, everybody is tired, I am sure, so 
I have said everything I needed to say or someone else has said it. 
So thank you for the opportunity. 

Mr. Putnam. Beautifully spoken. 

Mr. Cooper. 

Mr. Cooper. That is tough to follow, but I would echo the same 
thing. Thank you. 

Mr. Putnam. Mr. Hitch. 

Mr. Hitch. I am not going to delay this any more. 

Mr. Putnam. You all act like it is excruciating. 

Mr. Hobbs. I guess, Congressman, the last word does come to 
me. I think it important, from my perspective, that the role of the 
Federal CIO continues to be examined, and certainly applaud you 
for the work that you have done within our community in the last 
couple of years and continue to ask us to raise the bar in terms 
of performance and in terms of accountability and in terms of re- 
sults. But I also point out sometimes that when we are called, it 
seems as if we are islands unto ourselves, that we somehow are re- 
sponsible for everything. And so I simply point out what an old 
friend has always said to me: it is more about the team than it is 
about the individual. And that team is both the management group 
across the department, as well as the organization that CIOs build. 
So sometimes I think it important to examine team performance 
just as closely as we look at the CIO’s role. We hope sometimes to 
have more authority and more responsibility than we actually 
have. So I applaud you for your effort, but I also point out the team 
is smarter than any one individual is ever going to be in terms of 
improving the economy and the efficiency of government, and that 
is where I believe the proof of the pudding truly lies, with the 
team. 

Mr. Putnam. Thank you very much. I appreciate the testimony 
of all of our witnesses, and in the event that there may be addi- 



114 


tional questions we did not have time for today, the record will re- 
main open for 2 weeks for submitted questions and answers. 

This meeting is adjourned. 

[Whereupon, at 5 p.m., the subcommittee was adjourned, to re- 
convene at the call of the Chair.] 

[Additional information submitted for the hearing record follows:] 



115 


Committee on Government Reform 

Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the 

Census 

•‘Where’s the CIO? The Role, Responsibility and Challenge For Federal Chief 
Information Officers in IT Investment Oversight and Information Management" 

July 21, 2004 

Questions for the Record for Mr. Paul Brubaker 


Chairman Putnam asked a question regarding how to improve accountability. I would 
like to provide the additional clarification for my response for the record. 

The Clinger-Cohen Act was established to improve accountability for information 
technology investments among agencies by requiring agencies to clearly establish 
anticipated measurable improvements in mission performance before systems could be 
acquired. It was also expected that business and operational processes subject to 
automation would be re-engineered before applying technology. Moreover, risk 
assessment and consistency with architecture and standards were also envisioned to drive 
the investment decision-process that is a large part of the overall capital planning and 
investment control process managed by agency Chief information Officers. 

The anticipated measurable benefits for each system would provide the basis for 
determining whether a system was on the path toward delivering results during its 
development. It was further envisioned that once deployed, systems would actually 
achieve the anticipated benefits and that the agency head and CIO would be held 
accountable for ensuring that the system met or exceeded expectations. Under Clinger- 
Cohen, agency heads and chief information officers were expected to terminate those 
systems which are not on track to achieve results. 

Clinger-Cohen also envisioned a move away from large dollar, high-risk projects of 
grand design which were too large to properly oversee and where promised payoffs often 
failed to materialize. Instead, agencies were to use incremental acquisition in order to 
reduce risk and to reward those contractors who delivered results in smaller, scaleable 
increments by awarding follow-on work to those who achieved results. This was the 
original vision of modular procurement although through the regulatory process and 
actual practice that vision has not been fully realized. 

All of these features, envisioned under Clinger-Cohen were to provide a sound and 
logical basis for accountability and for achieving desired results. 


o 



